Skip to content

Servers

SSH

initial start

首先在本地新建 ssh key,

ssh-keygen -t [rsa | ed25519 | ecdsa | dsa]
ssh 常见 key 格式

参考 更新SSH key为Ed25519

  • DSA: 不安全
  • RSA: 安全性依赖于key的大小,3072位或4096位的key是安全的,小于此大小的key可能需要升级一下,1024位的key已经被认为不安全。
  • ECDSA: 安全性取决于你的计算机生成随机数的能力,该随机数将用于创建签名,ECDSA使用的NIST曲线也存在可信赖性问题。
  • Ed25519: 目前最推荐的公钥算法

然后会在本地生成 ~/.ssh 文件夹。

  • 秘钥(~/.ssh/id_rsa): sensitive and important!!
  • 公钥(~/.ssh/id_rsa.pub): contains the public key for authentication. These files are not sensitive and can (but need not) be readable by anyone.
  • 公钥授权文件(~/.ssh/authorized_keys)

将登录端的 id_rsa.pub 内容复制到服务器端的 authorized_keys 文件中即可。除了手动复制,也可以通过命令行,如

$ ssh-copy-id -p 30013 weiya@127.0.0.1
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
weiya@127.0.0.1's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh -p '30013' 'weiya@127.0.0.1'"
and check to make sure that only the key(s) you wanted were added.

正确输入登录密码后,便复制成功了,注意此时并未登录至目标服务器。

对于 AWS,登录需要使用 .pem 文件,即

$ ssh -i YourKey.pem user@host

而复制文件则为

$ scp -i YourKey.pem YourFile user@host:~/YourFile
debug info: type

The number in identity file type .../.ssh/id_* type <number> is just the integer value (zero based) of the ssh_key_types enum and -1 meaning error. 🔗

two consecutive ssh

$ ssh -t user@A ssh user@B

where -t avoid the warning that

Pseudo-terminal will not be allocated because stdin is not a terminal.

which would freeze the session.

If the usernames are the same, the second username can be omitted.

The port forwarding would be more clear. For example, open a jupyter session on node B, whose login node is A, then access the jupyter in the local browser http://127.0.0.1:28888 after running

$ ssh -t -L 28888:localhost:8888 user@A ssh -L 8888:localhost:8888 user@B

ProxyJump might be an alternative, but it seems not work for host established via -R, such as ssh -J public@host inner@localhost:pppp.

ssh until succeed

$ until ./login_lab.sh; do sleep 5; done

refer to How to run ssh command until succeeded?

config file

Although it would be convenient to write a simple script login_xxx.sh to avoid to type the account and hostname, it would be annoying when using scp. It is still possible to define custom functions such as scp_to_xxx or scp_from_xxx, but too many functions might be confusing and forget the detailed definitions.

Maybe we can try to write a config file (refer to Configuring your favourite hosts in SSH), in which we can define an alias for a hostname, and also specify the username, e.g., after defining

Host XX
Hostname REAL.HOSTNAME
User weiya

then I can just type ssh XX to access this server, and scp would also be much simpler, scp file XX:~/. More importantly, we can use tab-complete when entering the path, which cannot be enabled by custom functions scp_to_xx.

Warning

On the rocky server, it throws, 

Bad owner or permissions on ~/.ssh/config
although the personal PC works well with same permission -rw-rw-r--. Refer to ssh returns “Bad owner or permissions on ~/.ssh/config”, change the permission 
$ chmod 600 ~/.ssh/config
that is, -rw-------.

run GUI remotely/locally

weiya@T460p:~$ ssh weiya@G40
weiya@G40:~$ export DISPLAY=:0
weiya@G40:~$ firefox

如果不通过第二行来设置 DISPLAY,则会报错,

Error: no DISPLAY environment variable specified

另外 :0 可以通过在服务器端运行

weiya@G40:~$ w
 20:29:30 up 10:01,  2 users,  load average: 1.53, 1.42, 1.40
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
weiya    :0       :0               10:28   ?xdm?  22:24   0.00s /usr/lib/gdm3/gdm-x-session --run-script env GNOME

进行查看,其中 FROM 栏下的 :0 即为当前 display 号码。

参考 How to start a GUI software on a remote Linux PC via SSH

如果想要在本地运行服务器端的 GUI 程序,即将服务器端的窗口发送到本地,则登录时需要加上 -X 选项,

ssh -X

To speed up the GUI loading if necessary, try to enable compression, -C, refer to Why is Firefox so slow over SSH? - Unix & Linux Stack Exchange

scp

  • scp a file with name including colon

add ./ before the file, since it will interpret colon x: as [user@]host prefix even if the filename has been wrapped with ".

refer to How can I scp a file with a colon in the file name?

SeverAliveInterval and ClientAliveInterval

  • SeverAliveInterval and SeverAliveCountMax are set on the client side, i.e., ~/.ssh/config
  • ClientAliveInterval and ClientAliveCountMax are set on the server side, i.e., /etc/ssh/sshd_config

refer to What do options ServerAliveInterval and ClientAliveInterval in sshd_config do exactly?

Add User

$ useradd -m -s /bin/bash userName
$ passwd userName

Or explicitly specify the password with

useradd -p $(openssl passwd -1 "PASSWORD") -m userName

where -1 means to use the MD5 based BSD password algorithm 1, see man openssl-passwd for more details.

Create users in batch mode,

for i in {01..14}; do useradd -p $(openssl passwd -1 "PASSWORD\$") -m "project$i"; done

where symbol $ (if any) needs to be escaped by \.

Warning

As man useradd notes,

-p option is not recommended because the password (or encrypted password) will be visible by users listing the processes.

增加 sudo 权限

$ sudoedit /etc/sudoers

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL
+weiya ALL=(ALL) NOPASSWD:ALL
+szcf715 ALL=(ALL) ALL

其中 NOPASSWD 表示用户 weiya 在使用 sudo 时无需输入密码,而 szcf715 则需要输入密码才能使用 sudo.

man sudoers 给了一些具体的设置例子,搜索 example sudoers.

参考 https://www.digitalocean.com/community/tutorials/how-to-install-the-apache-web-server-on-ubuntu-16-04

  • list users in a group: lid -g GroupName, see also 🔗 and Issue 5

安装 spark

在内地云主机上,官网下载地址 还没 5 秒就中断了,然后找到了清华的镜像

第二天发现,其实不是中断了,而是下载完成了,因为那个还不是下载链接,点进去才有推荐的下载链接,而这些链接也是推荐的速度快的镜像。

顺带学习了 wget 重新下载 -c 和重复尝试 -t 0 的选项。

upgrade Java 7 to Java 8:

最近 oracle 更改了 license,导致 ppa 都用不了了

源码安装

而且第一次听说 update-alternatives 命令,有点类似更改默认程序的感觉。

接着按照 official documentation 进行学习

腾讯云服务器nginx failed

原因:80端口被占用 解决方法:kill掉占用80端口的

sudo fuser -k 80/tcp

重启

sudo /etc/init.d/nginx restart

重装nginx

想重装nginx,把/etc/nginx也一并删除了,但是重新安装却报错找不到conf文件。

参考How to reinstall nginx if I deleted /etc/nginx folder (Ubuntu 14.04)?

应当用 

apt-get purge nginx nginx-common nginx-full
apt-get install nginx

注意用 purge 不会保存配置文件,而 remove 会保存配置文件。

CentOS 7

想直接在服务器上用 Julia 的 PGFPlotsX 画图,因为默认会弹出画好的 pdf 图象,除非按照官方教程中的设置

PGFPlotsX.enable_interactive(false)

本来期望着用 evince 打开,但是最后竟然用 liberoffice 开开了,然后字体竟然不一致了,所以想着更改默认的 pdf 阅读软件,参考 How to set default browser for PDF reader Evince on Linux?

可以在 .local/share/applications/mimeapps.list 里面添加或者修改

虽然最后还是感觉通过服务器打开速度太慢了。

Install software without root

conda can install many other programs, such as tree,

conda install -c eumetsat tree

The trick is to check whether the package is available via https://anaconda.org/search?q=

refer to How to install packages in Linux (CentOS) without root user with automatic dependency handling?

tab fails to complete

服务器上 tab 补全失效,并且报错

无法为立即文档创建临时文件:设备上没有空间

因为在第三方服务器上,没有权限清理 /tmp 文件夹,于是参考 解决cannot create temp file for here-document: No space left on device问题

.bashrc 中加入

export TMPDIR=$HOME/tmp

Let’s Encrypt

If it throws the following message,

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

it is necessary to upgrade the Certbot.

Vultr配置shadowsocks

按照之前的配置方法,不可用,于是参考轻松在 VPS 搭建 Shadowsocks 翻墙进行配置。

CentOS7搭建Apache

参考资料

  1. How To Install Linux, Apache, MySQL, PHP (LAMP) stack On CentOS 7
  2. CentOS 7.2 利用yum安装配置Apache2.4多虚拟主机

按照第一个链接的指示,并不能成功访问。于是尝试参考第二个链接修改配置文件。

未果,结果按照cy的建议,释放掉了这个服务器。

FTP

Upload and download files from command line, see 🔗 for more details.

$ ftp xx.xx.xx.xx
ftp> put XX
ftp> get XX

Comments