2. SSH va remote management โ
๐ฏ Bu bobda nimani o'rganasiz:
- SSH qanday ishlashi va public-key crypto asoslari
ssh-keygenโ kalit yaratish (ed25519โ zamonaviy tanlov)~/.ssh/configโ bashning eng kuchli xususiyatlaridan biriscpvarsyncโ fayl ko'chirish- Remote buyruq bajarish, heredoc orqali skript yuborish
- Port forwarding โ local, remote, SOCKS
- Real misol โ Deploy skript (build + rsync + restart + health check)
โฑ Vaqt: ~35 daqiqa ๐งช Mashqlar:
bashlings watch 12_ssh(kelajak sprint)
2.1. Nima uchun SSH? โ
Server administratsiyasi, DevOps, deployment, remote debugging โ SSH'siz qila olmaysiz:
- Cloud server'ga ulanish (
ssh ec2-user@1.2.3.4) - Production'da log tahlili (
ssh prod 'tail -f /var/log/app.log') - Kodni deploy qilish (
rsync -avz ./dist/ prod:/var/www/) - Database'ga lokal tunnel orqali ulanish (
ssh -L 5432:db:5432 prod) - Bir server orqali ikkinchisiga "sakrash" (
ssh -J jump prod)
Asosiy g'oya
SSH โ masofadagi tizimlar bilan xavfsiz muloqot uchun standart. Parolsiz auth (kalitlar bilan) โ production'da yagona qabul qilinadigan usul.
2.2. SSH qanday ishlaydi? (qisqacha) โ
Mijoz (siz) Server
โโโโโโโโโโโโ โโโโโโ
1. Ulanish so'rovi โโโโโโโโโโโโโโโโโโโโโโโโบ
โโโโโโโโโ Server public key
2. Server fingerprint'ni tekshirish
(birinchi marta โ `known_hosts`'ga saqlash)
3. Encrypted kanal o'rnatildi (Diffie-Hellman bilan)
4. Authentication โโโโโโโโโโโโโโโโโโโโโโโโโบ
- Parol (zaif)
- Yoki SSH kalit (kuchli):
a) Mijoz public key'ni yuboradi
b) Server `authorized_keys`'da bor-yo'qligini tekshiradi
c) Server tasodifiy challenge yuboradi
d) Mijoz private key bilan imzo qo'yadi
e) Server public key bilan tekshiradiAsosiy g'oya โ private key sizda qoladi, public key serverda. Hech qachon o'rin almashmaydi.
Private key โ eng muhim sir
Private key'ni hech qachon yubormang, copy qilmang, repository'ga qo'ymang. Yo'qotsangiz โ qaytarib bo'lmaydi. Yo'qotgan kalitni darhol revoke qiling.
2.3. Birinchi SSH ulanish โ
ssh user@host.example.com
# Birinchi marta:
# The authenticity of host 'host.example.com (1.2.3.4)' can't be established.
# ED25519 key fingerprint is SHA256:xyz123...
# Are you sure you want to continue connecting (yes/no)?
yes
# Warning: Permanently added 'host.example.com' to the list of known hosts.
user@host.example.com's password:Birinchi ulanishda โ fingerprint'ni tekshirish. Sizda CI'da yoki real serverda fingerprint qiymati bo'lishi kerak โ taqqoslang.
Asosiy flaglar โ
| Flag | Mazmuni |
|---|---|
-p <port> | Custom port (default 22) |
-i <fayl> | Aniq private key fayli |
-l <user> | User nomi (-l user = user@host) |
-v -vv -vvv | Verbose (debug, ko'p v โ ko'p chiqish) |
-N | Buyruq bajarmaslik (tunnel uchun) |
-f | Backgroundga o'tish (-fN tunnel uchun klassik) |
-J <jump> | Jump host orqali |
-A | SSH agent forwarding (ehtiyot bo'ling!) |
-X / -Y | X11 forwarding |
ssh -p 2222 ali@server.com # custom port
ssh -i ~/.ssh/prod_key ali@prod # aniq kalit
ssh -vvv ali@server.com # debug muammoni topish uchun2.4. SSH kalit yaratish โ
Parolsiz auth uchun kalit kerak.
ssh-keygen -t ed25519 -C "ali@example.com"
# Generating public/private ed25519 key pair.
# Enter file in which to save the key (/Users/ali/.ssh/id_ed25519):
# Enter passphrase (empty for no passphrase):
# Enter same passphrase again:
# Your identification has been saved in /Users/ali/.ssh/id_ed25519
# Your public key has been saved in /Users/ali/.ssh/id_ed25519.pubFlaglar โ
| Flag | Mazmuni |
|---|---|
-t ed25519 | Algoritm โ ed25519 (zamonaviy, kichik, tez) |
-t rsa -b 4096 | Eski tizimlar uchun RSA 4096-bit |
-C "..." | Comment (odatda email) |
-f <fayl> | Custom fayl yo'li |
-N "..." | Passphrase'ni argument sifatida |
Qaysi algoritm?
ed25519 โ bugun standart tanlov. rsa 4096-bit โ eski tizimlar uchun (juda eskilarda ed25519 yo'q). dsa va kichik RSA โ ishlatmang (xavfsizlik kuchsiz).
Kalit fayllar โ
~/.ssh/id_ed25519 # private key (SIR!)
~/.ssh/id_ed25519.pub # public key (boshqalar bilan ulashish mumkin)
~/.ssh/known_hosts # ko'rgan server fingerprintlari
~/.ssh/authorized_keys # SIZning serveringizga kim kira oladi
~/.ssh/config # ulanish sozlamalari (eng muhim!)Passphrase bo'lishi kerakmi? โ
Ha, agar:
- Laptop yo'qolib qolishi mumkin
- Kuchli passphrase +
ssh-agentishlatasiz
Yo'q, agar:
- Server-to-server cron skript (interaktiv yo'q)
- CI workflow
ssh-agent orqali passphrase'ni bir martagina kiritish va keyin kashlangan saqlash mumkin (ยง2.11).
2.5. ssh-copy-id โ kalitni serverga yuklash โ
Manualda public key'ni serverga authorized_keys'ga qo'shish kerak. ssh-copy-id buni avtomatlashtiradi:
ssh-copy-id ali@server.com
# Bir marta parol so'raydi (oxirgi marta!)
# Endi key auth ishlaydi:
ssh ali@server.com # parol so'ralmaydiQo'lda variant (ssh-copy-id yo'q bo'lsa) โ
cat ~/.ssh/id_ed25519.pub \
| ssh ali@server.com 'mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys'Permissions muhim
~/.ssh/ โ 700, authorized_keys โ 600. Aks holda SSH ishonmaydi va auth fail bo'ladi. ssh-copy-id buni avtomatik to'g'rilaydi.
2.6. ~/.ssh/config โ SSH'ning sehri โ
Bu โ bashning eng kam ma'lum lekin eng kuchli xususiyatlardan biri.
Tasavvur qiling โ har gal ssh -p 2222 -i ~/.ssh/prod_key ali@server-prod.example.com yozish kerak. Yomon.
~/.ssh/config faylida bir marta yozasiz:
Host prod
HostName server-prod.example.com
User ali
Port 2222
IdentityFile ~/.ssh/prod_keyEndi:
ssh prod
scp data.tar.gz prod:/opt/
rsync -avz dist/ prod:/var/www/Hammasi avtomatik to'g'ri sozlamani oladi.
To'liq misol โ ~/.ssh/config โ
# Default โ barcha hostlar uchun
Host *
ServerAliveInterval 60 # 60s'da bir ping (idle keepalive)
ServerAliveCountMax 3 # 3 marta javob yo'q โ uzilish
AddKeysToAgent yes
UseKeychain yes # macOS โ Keychain integratsiya
# Production server
Host prod
HostName prod.example.com
User deploy
Port 22
IdentityFile ~/.ssh/prod_ed25519
# Staging โ jump host orqali (bastion pattern)
Host staging
HostName 10.0.5.42 # internal IP
User deploy
ProxyJump bastion # avval bastion'ga, keyin staging'ga
# Bastion (jump host)
Host bastion
HostName bastion.example.com
User ali
IdentityFile ~/.ssh/bastion_key
# Wildcard โ kompaniya hammasi *.internal
Host *.internal
User ali
IdentityFile ~/.ssh/company_key
# GitHub uchun maxsus kalit
Host github.com
User git
IdentityFile ~/.ssh/github_ed25519Klassik directive'lar โ
| Directive | Mazmuni |
|---|---|
HostName | Haqiqiy hostname/IP |
User | Foydalanuvchi |
Port | Port (default 22) |
IdentityFile | Private key fayli |
ProxyJump <alias> | Jump host orqali |
ServerAliveInterval | Keepalive ping (soniya) |
ControlMaster auto | Connection multiplexing (tezroq qayta ulanish) |
ControlPersist 10m | Multiplexed kanalni saqlash |
LogLevel ERROR | Shovqinli ogohlantirishlarni o'chirish |
IdentitiesOnly yes | Faqat aniq IdentityFile ishlatish |
Connection multiplexing (eng kuchli optimizatsiya) โ
Host *
ControlMaster auto
ControlPath ~/.ssh/sockets/%r@%h-%p
ControlPersist 10mBirinchi ulanish โ odatdagi tezlikda. Keyingi ulanishlar โ mavjud kanal orqali, deyarli darhol. CI/skriptlar uchun ulkan farq.
macOS uchun bonus
Host *
UseKeychain yes
AddKeysToAgent yesmacOS Keychain'ga passphrase saqlanadi. Bir marta kiritasiz, qayta-qayta so'ramaydi.
2.7. scp โ fayl ko'chirish โ
scp (Secure CoPy) โ SSH protokoli orqali fayl ko'chiradi.
# Local โ Remote
scp file.txt ali@server:/tmp/
# Remote โ Local
scp ali@server:/var/log/app.log ./
# Remote โ Remote
scp ali@srv1:/data.txt ali@srv2:/backup/
# Recursive (katalog)
scp -r dist/ ali@server:~/
# Custom port โ DIQQAT: katta `-P`, kichik `-p` boshqa narsa
scp -P 2222 file.txt ali@server:/tmp/scp flaglar โ
| Flag | Mazmuni |
|---|---|
-r | Recursive (katalog uchun) |
-P <port> | Katta P โ port (kichik -p permissions saqlash) |
-i <key> | Identity file |
-q | Quiet (progress yo'q) |
-l <limit> | Bandwidth chegarasi (Kbit/s) |
-C | Compression |
scp deprecated?
OpenSSH 9.0+ (2022)'da scp rasmiy deprecated. rsync yoki sftp tavsiya etiladi. Hozir ham ishlaydi, lekin yangi loyihalarda rsync ishlating.
2.8. rsync โ kuchli sinxronlash โ
rsync โ fayllarni "deltali" sinxronlaydi. O'zgargan qismlarni uzatadi, hammasini emas. Backup, deploy va mirror uchun ideal.
Asosiy sintaksis โ
rsync -avz manba/ maqsad/Diqqat: / trailing slash muhim!
rsync src/ dst/โ src ichidagi narsalarni dst ichigarsync src dst/โ src katalogini dst ichiga (yangidst/src/yaratadi)
Klassik flag'lar โ -avz โ
| Flag | Mazmuni |
|---|---|
-a | Archive mode โ -rlptgoD (recursive, links, permissions, times, group, owner, devices) |
-v | Verbose |
-z | Compression |
Bu uchaloni birga "-avz" deb yozish โ rsync'ning klassik kombinatsiyasi.
Boshqa muhim flag'lar โ
| Flag | Mazmuni |
|---|---|
--delete | Maqsadda manbada yo'q fayllarni o'chirish (mirror) |
--dry-run (-n) | Test rejim โ nima qilishini ko'rsatadi |
--exclude='*.log' | Pattern bo'yicha skip |
--exclude-from=fayl | Pattern'lar faylda |
--progress | Progress bar |
-h | Human-readable hajmlar |
--bwlimit=1000 | Bandwidth chegarasi (KB/s) |
-e 'ssh -p 2222' | Custom SSH command (port + key) |
Real misollar โ
# Production deploy โ eski fayllarni ham o'chiradi
rsync -avz --delete \
--exclude='node_modules' \
--exclude='.git' \
--exclude='*.log' \
./dist/ prod:/var/www/
# Test ko'rish, lekin bajarmaslik
rsync -avzn --delete ./src/ prod:/opt/
# (yangi va o'chiriladiganlarni ko'rsatadi)
# Backup โ eski fayllarni saqlash (--backup)
rsync -avz --backup --backup-dir=/backups/$(date +%F) \
~/Documents/ backup-server:/backups/current/
# Katta fayllar uchun resume + bandwidth limit
rsync -avz --partial --bwlimit=5000 \
big.iso ali@server:/data/--dry-run โ har doim avval
Production'ga deploy qilishdan oldin har doim rsync -avzn --delete (n = dry-run) ishlating. Ayniqsa --delete bilan โ qaysi fayllar o'chirilishini ko'rasiz.
2.9. Remote buyruq bajarish โ
Bir buyruq โ
ssh ali@server 'uptime'
# 14:22:01 up 30 days, ...Bir nechta buyruq โ
ssh ali@server 'cd /var/log && ls -la'
# Yoki && bilan
ssh ali@server 'cd /tmp && tar -czf backup.tar.gz data/ && ls -lh backup.tar.gz'Multi-line heredoc orqali โ
ssh ali@server bash <<'EOF'
set -euo pipefail
cd /opt/app
echo "Joriy versiya: $(cat VERSION)"
git pull
./build.sh
sudo systemctl restart app
echo "Yangi versiya: $(cat VERSION)"
EOF'EOF' (qo'shtirnoq ichida) โ interpolatsiya bo'lmaydi, har narsa local'da emas, server'da bajariladi.
Output capture qilish โ
load=$(ssh ali@server "uptime | awk '{print \$10}' | tr -d ','")
echo "Server load: $load"Quote escaping
Remote buyruqlar ichidagi ' va " chalkash. Heredoc โ eng xavfsiz yo'l. Yoki double escape:
ssh server "echo \"hi\""
ssh server 'echo "hi"' # afzal2.10. SSH tunneling โ port forwarding โ
Local forward (-L) โ eng ko'p ishlatiladigan โ
# Local 5432 portni server'dagi db.internal:5432'ga ulash
ssh -L 5432:db.internal:5432 ali@jumphostEndi localhost:5432 ga ulansangiz โ aslida jumphost orqali db.internal:5432'ga.
Foydalanish:
psql -h localhost -p 5432 -U postgres
# Aslida internal DB'ga ulanyapsiz!Background tunnel โ -fN โ
ssh -fN -L 5432:db.internal:5432 ali@jumphost
# Background'ga ketadi, terminal'da turmaydi
# To'xtatish uchun:
ps aux | grep 'ssh -fN' | grep -v grep
kill <PID>-f โ background, -N โ buyruq bajarmaslik (faqat tunnel).
Remote forward (-R) โ
# Server'dagi 8080 portni local 3000'ga uzatish
ssh -R 8080:localhost:3000 ali@serverFoydali: localda dev server, server orqali jamoaga ko'rsatish (yoki webhooks).
Dynamic forward โ SOCKS proxy (-D) โ
ssh -D 1080 ali@jumphost
# Browser'ni SOCKS5 proxy localhost:1080'ga sozlash
# Endi har trafik โ jumphost orqaliVPN'siz korporativ tarmoqqa kirish uchun foydali.
Tunnel jadval โ
| Flag | Yo'nalish | Tipik foydalanish |
|---|---|---|
-L LOCAL:HOST:REMOTE | Local'dan remote'ga | Internal DB'ga ulanish |
-R REMOTE:HOST:LOCAL | Remote'dan local'ga | Webhook kanali, dev preview |
-D PORT | Dynamic SOCKS | Browser proxy |
2.11. ssh-agent โ kalit boshqaruvi โ
Har gal passphrase kiritish chigarcha. ssh-agent xotirada saqlaydi:
# Agent ishga tushirish (sessiya boshida)
eval "$(ssh-agent -s)"
# Kalitni qo'shish (passphrase bir marta so'raladi)
ssh-add ~/.ssh/id_ed25519
# Yuklangan kalitlar ro'yxati
ssh-add -l
# Hammasini o'chirish
ssh-add -DmacOS uchun built-in โ
Host *
UseKeychain yes
AddKeysToAgent yesKeychain integratsiya โ passphrase'ni macOS Keychain'da saqlaydi. Sistem qayta yuklanganida ham saqlanadi.
Agent forwarding (-A) โ ehtiyot bo'ling! โ
ssh -A jumphost
# Endi jumphost'da bo'lib turib boshqa serverga ulanganingizda
# local kalitingiz ishlatiladi (jump'da saqlanmaydi)Agent forwarding xavfi
-A flagi โ jump host root sizning kalitingizdan foydalanishi mumkin (jump kompromat bo'lsa). Aksincha โ ProxyJump (-J) tavsiya etiladi:
ssh -J jumphost destinationProxyJump jump'da kalitingizni qoldirmaydi.
2.12. Real misol โ Deploy skripti โ
#!/usr/bin/env bash
#
# deploy.sh โ local'da build โ server'ga rsync โ restart โ health check
#
# Foydalanish:
# ./deploy.sh staging
# ./deploy.sh prod
set -euo pipefail
IFS=$'\n\t'
readonly ENV="${1:?Foydalanish: $0 <staging|prod>}"
# Konfiguratsiya โ har environment uchun
case "$ENV" in
staging)
SSH_HOST="staging"
APP_DIR="/var/www/staging"
HEALTH_URL="https://staging.example.com/health"
;;
prod)
SSH_HOST="prod"
APP_DIR="/var/www/app"
HEALTH_URL="https://example.com/health"
;;
*)
echo "Noma'lum environment: $ENV" >&2
exit 1
;;
esac
log() { printf '[%s] %s\n' "$(date +%T)" "$*"; }
# --- 1. Local build ---
log "๐ฆ Local build..."
npm ci --silent
npm run build
# --- 2. Smoke test (build OK ekanligini tekshirish) ---
[[ -f dist/index.html ]] || {
log "โ Build muvaffaqiyatsiz โ dist/index.html yo'q"
exit 1
}
# --- 3. Rsync ---
log "๐ Rsync โ $SSH_HOST:$APP_DIR ..."
rsync -avz --delete \
--exclude='*.log' \
--exclude='.env.local' \
./dist/ "$SSH_HOST:$APP_DIR/"
# --- 4. Remote restart ---
log "๐ Server restart..."
ssh "$SSH_HOST" bash <<EOF
set -euo pipefail
cd "$APP_DIR"
sudo systemctl restart app
sudo systemctl status app --no-pager | head -5
EOF
# --- 5. Health check (max 30s) ---
log "๐ฉบ Health check: $HEALTH_URL"
for i in {1..15}; do
if curl -fsS --max-time 5 "$HEALTH_URL" > /dev/null; then
log "โ
Server ishlamoqda (urinish $i/15)"
exit 0
fi
sleep 2
done
log "โ Health check muvaffaqiyatsiz"
exit 1Ishga tushirish:
chmod +x deploy.sh
./deploy.sh staging # avval staging'da sinash
./deploy.sh prod # productionBu skript nima qiladi? โ
| Qadam | Texnika |
|---|---|
| Environment tanlash | case operatori, $1 argument |
| Local build | npm ci && npm run build |
| Smoke test | Build muvaffaqiyatli ekanligini tekshirish |
| Atomic upload | rsync -avz --delete โ eski fayllar tozalandi |
| Remote orchestration | ssh ... bash <<EOF heredoc |
| Service restart | systemctl restart |
| Health check loop | curl -fsS --max-time 5 15 marta urinish |
| Error handling | set -euo pipefail har joyda |
| Strukturalangan log | log() funksiya + timestamp |
2.13. Xavfsizlik amaliyotlari โ
Production konfiguratsiya
Server tomonda (/etc/ssh/sshd_config):
PasswordAuthentication no # faqat key auth
PermitRootLogin prohibit-password # root parol bilan kirmasin
PubkeyAuthentication yes
MaxAuthTries 3
ClientAliveInterval 300 # 5 daqiqa idle โ uzilish
ClientAliveCountMax 2
AllowUsers ali deploy # ruxsat berilganlarSozlamadan keyin:
sudo sshd -t # config syntaxni tekshirish
sudo systemctl restart sshdEng kam ko'nikma to'plami โ
| Amaliyot | Sabab |
|---|---|
| Parol auth o'chirilgan | Brute-force xavfini olib tashlash |
fail2ban o'rnatilgan | Avtomatik ban (3 fail = 1 soat IP) |
| Default port 22 โ boshqasi (optional) | Skanerlardan biroz himoya |
MFA (Google Authenticator) | Kalit + kod = ikki qatlam |
| Audit log monitoring | /var/log/auth.log |
| Kalitlar har 1-2 yilda yangilanadi | Hygiene |
2.14. Tez-tez uchraydigan xatolar โ
Klassik tuzoqlar
Permission denied (publickey)โ~/.ssh/permissions noto'g'ri.chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keysserver tomonda.Host key verification failedโ kichik IP/key o'zgargan. Faqat bilgan sababdan keyin:ssh-keygen -R hostnameโ eski entry o'chiriladi.ssh -Ajump host'da xavfsizlik bo'shliq. Tavsiya:ProxyJump(-J) yoki config'daProxyJump.scp -Pvs-p. Katta P โ port. Kichik p โ preserve permissions.rsync src dstvsrsync src/ dst/. Trailing slash farqi katta โ har gal--dry-runbilan tekshiring.rsync --deletebilan ehtiyotsizlik. Manba yo'q yoki bo'sh bo'lsa โ maqsadning hammasini o'chiradi. Har doim-nbilan oldindan ko'ring.Heredoc'da quote interpolatsiya.
<<EOFโ local'da interpolate ($varlocal'dagi).<<'EOF'โ remote'da. Adashtirmang.Cron'da SSH ishlamasligi. Cron muhitida
SSH_AUTH_SOCKyo'q โssh-agentishlamaydi. Yo'l: skript boshida agent ishga tushirish, yokiIdentityFileaniq berish.
2.15. Mashqlar โ
๐งช Kelajakda
bashlings watch 12_sshpaketida.
Kalit yaratish โ
ssh-keygen -t ed25519 -f ~/test_key -N ""orqali kalit yarating. Public va private fayllar borligini tasdiqlang.~/.ssh/configtest โ quyidagi alias yarating:Host ghโgithub.com, usergit.ssh -T ghishlaydimi?rsyncdry-run โ local katalogni boshqa katalogga--deletebilan--dry-runqilib sinab ko'ring. Output'ni o'qib chiqing.Remote command โ biror server'da
df -h /ni masofadan bajarib, faqat to'la-foiz qiymatni (%) chiqaruvchi pipeline yozing.Tunnel test โ
ssh -fN -L 8080:google.com:80 user@yourserverishga tushiring. Localcurl http://localhost:8080 -H "Host: google.com"natijasini tekshiring.
2.16. Xulosa โ
| Tushuncha | Asosiy nuqta |
|---|---|
ssh user@host | Asosiy ulanish |
ssh-keygen -t ed25519 | Zamonaviy kalit yaratish |
ssh-copy-id user@host | Public key'ni serverga yuklash |
~/.ssh/config | Host alias, port, identity โ eng kuchli xususiyat |
ProxyJump <alias> | Jump host orqali |
ControlMaster auto | Connection multiplexing โ qayta ulanish tezroq |
scp / rsync | Fayl ko'chirish |
rsync -avz --delete | Production mirror |
rsync -avzn | Dry-run โ har doim oldin tekshiring |
ssh host 'cmd' | Bir buyruq |
ssh host bash <<'EOF' | Multi-line skript |
-L LOCAL:HOST:REMOTE | Local forward (eng ko'p) |
-fN | Background tunnel |
ssh-add | Agent'ga kalit qo'shish |
5 ta asosiy g'oya โ
ed25519kalitlari โ RSA emas, ed25519. Zamonaviy va kichik.~/.ssh/configโ yarim soat sozlash bir umrlik vaqt tejaydi.rsync -avzn(dry-run) โ--deletebilan har doim oldin sinab ko'ring.ProxyJumpo'rniga-Aishlatmang โ xavfsizlik buziladi.- Connection multiplexing (
ControlMaster auto) โ CI va skriptlarda 10ร tezlanish.
๐ Endi siz masofadagi serverlarni boshqarish ko'nikmasini oldingiz. Keyingi bobda โ jq orqali API javoblarini parse qilishni o'rganamiz.
Keyingi sahifa: 3. JSON va YAML โ jq, yq โ