.nsh 怎么样运行

介绍 (Introduction)

It can often be difficult to manage multiple machines on a daily basis. While Secure Shell (SSH) is a good choice for remote access, the protocol itself has some drawbacks in both convenience and security.

每天通常很难管理多台计算机。 尽管Secure Shell(SSH)是远程访问的不错选择，但该协议本身在便利性和安全性方面都有一些缺点。

For instance, remote machines need to have a public IP address and a forwarded port in order to access them, which exposes them to the internet, or at least a larger network. This is especially concerning if you use a password for authentication instead of a public and private key pair. Furthermore, if you don’t know the remote machine’s public key in advance, you might be vulnerable to a “man-in-the-middle” attack. And many remote machines you want to access either don’t have public IP address, or they have a dynamic IP address you might not know.

例如，远程机器需要具有公共IP地址和转发端口才能访问它们，这会将它们公开给Internet或至少是更大的网络。 如果您使用密码而不是公用和专用密钥对进行身份验证，则尤其要注意这一点。 此外，如果您事先不知道远程计算机的公钥，则可能容易受到“ 中间人 ”攻击。 而且您要访问的许多远程计算机都没有公用IP地址，或者它们具有您可能不知道的动态IP地址。

In addition, SSH requires one connection per remote session. If a user needs to run a single command across hundreds or even thousands of machines, they must first establish a connection to each machine with a TCP handshake, which is less efficient.

此外，SSH要求每个远程会话一个连接。 如果用户需要在数百甚至数千台计算机上运行单个命令，则他们必须首先通过TCP握手建立与每台计算机的连接，这会降低效率。

NKN Shell, or nsh, is an alternative to SSH that provides a convenient and secure way to run remote commands. nsh takes advantage of NKN’s global public network which provides secure and decentralized data transmission. The architecture uses unique addresses that contain a public key used for both routing and end-to-end encryption without any public key infrastructure (PKI). The network also does not require the remote server to have a public IP address. The remote server only needs to have Internet access and be able to establish outbound HTTP and websocket connections. As a result, your remote machines are not exposed to the open Internet.

NKN Shell或nsh是SSH的替代方法，它提供了一种方便且安全的方式来运行远程命令。 nsh利用NKN的全球公共网络提供安全和分散的数据传输。 该体系结构使用唯一的地址，该地址包含用于路由和端到端加密的公共密钥，而没有任何公共密钥基础结构(PKI)。 网络也不需要远程服务器具有公共IP地址。 远程服务器只需要可以访问Internet并能够建立出站HTTP和Websocket连接。 因此，您的远程计算机不会暴露在开放的Internet中。

In this tutorial you will use the NKN shell daemon and the NKN Shell Client Xterm applications to execute commands on a remote machine. To do so, you will install and configure the NKN Shell daemon on a remote machine with internet access, generate a key pair, and make your connection from a client.

在本教程中，您将使用NKN Shell守护程序和NKN Shell Client Xterm应用程序在远程计算机上执行命令。 为此，您将在具有Internet访问权限的远程计算机上安装和配置NKN Shell守护程序，生成密钥对，并与客户端建立连接。

先决条件 (Prerequisites)

To follow this tutorial you will need the following:

要遵循本教程，您将需要以下内容：

• One Ubuntu 18.04 server set up by following the Ubuntu 18.04 initial server setup guide, including a non-root sudo-enabled user and a firewall.

  遵循Ubuntu 18.04初始服务器设置指南来设置一台Ubuntu 18.04服务器，包括未启用root用户的sudo用户和防火墙。

• A Web browser installed on your local machine.
  安装在本地计算机上的Web浏览器。

步骤1 —在远程服务器上安装NKN Shell守护程序 (Step 1 — Installing NKN Shell Daemon on a Remote Server)

First, install the NKN shell daemon (nsd) on your server. This application will invoke nkn-multiclient, which will connect to NKN’s public network and obtain an address for routing. The daemon will then listen for incoming shell commands from authenticated and whitelisted clients, execute those commands, and then send back results.

首先，在服务器上安装NKN Shell守护程序( nsd )。 该应用程序将调用nkn-multiclient ，它将连接到NKN的公共网络并获得用于路由的地址。 然后，守护程序将侦听来自经过身份验证和列入白名单的客户端的传入Shell命令，执行这些命令，然后发送回结果。

Start by downloading the latest pre-built nshd binary from GitHub:

首先从GitHub下载最新的预构建nshd二进制文件 ：

Decompress the file:

解压缩文件：

Then move the files into the /usr/local/bin directory so they are available system wide:

然后将文件移到/usr/local/bin目录中，以便它们在系统范围内可用：

Next, you’ll configure this to run as a daemon process using Systemd so that it will restart if the server is reset.

接下来，您将使用Systemd将其配置为作为守护进程运行，以便在重置服务器时重新启动。

Create a file called nshd.service in /etc/systemd/system:

在/etc/systemd/system创建一个名为nshd.service的文件：

Add the following service definition to the file to configure the service:

将以下服务定义添加到文件中以配置服务：

[Unit]
Description=NKN Shell Daemon
After=network.target

[Service]
Type=simple
User=root
Group=root
Restart=always
ExecStart=/usr/local/bin/nshd

[Install]
WantedBy=multi-user.target

Learn more about Systemd unit files in Understanding Systemd Units and Unit Files.

在了解系统单位和单位文件中了解有关系统单位文件的更多信息。

Save the file and exit the editor. Then enable and start the nshd service with the following commands:

保存文件并退出编辑器。 然后使用以下命令启用并启动nshd服务：

Run the following command to ensure the service is active and started:

运行以下命令以确保该服务处于活动状态并已启动：

You’ll see that the status is active:

您会看到状态为活动：

   

    Output
   
● nshd.service - NKN Shell Daemon
   Loaded: loaded (/etc/systemd/system/nshd.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2020-02-19 19:16:02 UTC; 7s ago
 Main PID: 3457 (nshd)
    Tasks: 10 (limit: 1152)
   CGroup: /system.slice/nshd.service
           └─3457 /usr/local/bin/nshd

Feb 19 19:16:02 your_hostname systemd[1]: Started NKN Shell Daemon.
Feb 19 19:16:03 your_hostname nshd[3457]: Create directory /etc/nshd/
Feb 19 19:16:03 your_hostname nshd[3457]: Create password and save to file /etc/nshd/wallet.pswd
Feb 19 19:16:03 your_hostname nshd[3457]: Create wallet and save to file /etc/nshd/wallet.json
Feb 19 19:16:03 your_hostname nshd[3457]: Create authorized pubkeys file /etc/nshd/authorized_pubkeys
Feb 19 19:16:03 your_hostname nshd[3457]: Listening at d46567b883a3070ee3fe879d9fa2d5dc55a95f79ff2797c42df36c6979e5c4Aba

In order to connect to your server, you’ll need to get its NKN address, which you can find in the output of the previous command. You can also run the following command to obtain the address:

为了连接到服务器，您需要获取其NKN地址，您可以在上一个命令的输出中找到该地址。 您还可以运行以下命令来获取地址：

You’ll see your address appear:

您会看到您的地址出现：

   

    Output
   
e70ca28ede84fc0659f2869255e8a393aef35b4fa5a7e036f29127c7dba75383

Take note of this address as you will need it to connect to your server.

记下该地址，因为您将需要该地址才能连接到服务器。

Now that the daemon is running and listening, you can configure the web-based client to talk to the server.

现在，守护程序正在运行并正在侦听，您可以配置基于Web的客户端以与服务器对话。

第2步-为NKN Shell客户端配置权限 (Step 2 — Configuring Permissions for NKN Shell Client)

You’ll need a compatible client that can connect to the remote machine. In this tutorial you’ll use NKN Shell Client Xterm, a web-based NKN shell client. There are a few different ways to run it:

您需要一个可以连接到远程计算机的兼容客户端。 在本教程中，您将使用NKN Shell Client Xterm，这是一个基于Web的NKN Shell客户端。 有几种不同的运行方式：

• Use the hosted version at https://nsh.nkn.org/. Note that while this web page is hosted on a server, it’s actually a pure local web app that runs in your browser.

  使用位于https://nsh.nkn.org/的托管版本。 请注意，尽管此网页托管在服务器上，但实际上是在浏览器中运行的纯本地Web应用程序。

• Get the source code and host it yourself.

  获取源代码并自己托管。

• Use the nShell Chrome extension.

  使用nShell Chrome扩展程序 。

In this tutorial you’ll use the hosted version. On your local machine, open your web browser and navigate to https://nsh.nkn.org. You’ll see a welcome screen:

在本教程中，您将使用托管版本。 在本地计算机上，打开Web浏览器并导航到https://nsh.nkn.org 。 您会看到一个欢迎屏幕：

Click Generate New Key Pair. Your keys will be generated and displayed as shown in the following image:

单击生成新密钥对 。 您的密钥将生成并显示，如下图所示：

Note: When you generate a new key pair, you will see a Secret Seed. Keep this secret seed secure and safe, just like you would with your SSH private key. Anyone who has this secret seed can use it to regenerate your public key and then run commands on your remote machines. Your browser will remember this seed, but you should copy it somewhere safe so you can use it again on a new machine.

注意 ：生成新的密钥对时，您将看到一个Secret Seed 。 就像使用SSH私钥一样，保持此秘密种子的安全。 拥有此秘密种子的任何人都可以使用它来重新生成您的公钥，然后在远程计算机上运行命令。 您的浏览器会记住该种子，但是您应该将其复制到安全的地方，以便可以在新计算机上再次使用它。

Save the Secret Seed somewhere safe. You can use it later to regenerate your public key so you can connect from a different client machine.

将秘密种子保存在安全的地方。 以后可以使用它来重新生成公共密钥，以便可以从其他客户端计算机进行连接。

Since this is a new key pair, you must add the Public Key to the file /etc/nshd/authorized_pubkeys on your server.

由于这是一个新的密钥对，因此必须将公共密钥添加到服务器上的文件/etc/nshd/authorized_pubkeys 。

/etc/nshd/authorized_pubkeys has a similar role as the ~/authorized_keys file which controls which SSH public keys can log in. The authorized_pubkeys file can specify which user is associated with a key. For security purposes, you’ll want to log in using a non-root user in this tutorial, so you’ll associate the generated public key with your sammy user you created in the Initial Server Setup guide in this article’s prerequisite.

/etc/nshd/authorized_pubkeys具有与类似的作用~/authorized_keys这其中的SSH公共密钥的控制可以登录文件。 authorized_pubkeys文件可以指定哪些用户与关键字相关联。 为了安全起见，在本教程中，您将使用非root用户登录，因此，将生成的公共密钥与在本文的前提条件中的“初始服务器设置”指南中创建的超级用户相关联。

To associate a user with the public key, you’ll need to get the user id (UID) and group id (GID) of this user. Execute the following command on your server while logged in as the sammy user:

要将用户与公钥相关联，您需要获取该用户的用户ID(UID)和组ID(GID)。 以sammy用户身份登录后，在服务器上执行以下命令：

You’ll see the UID and GID of the user:

您将看到用户的UID和GID：

   

    Output
   
uid=1000(sammy) gid=1000(sammy) groups=1000(sammy),27(sudo)

Now open the authorized_pubkeys file in your editor:

现在，在编辑器中打开authorized_pubkeys文件：

Add a single line containing the public key, uid, and gid, separated by spaces:

添加一行包含公钥，uid和gid的行，并用空格分隔：

5d5367a5730427c205904a4457392051d2045dbce0186518fb6eb24dd9e41ba6 1000 1000

Save the file.

保存文件。

Verify that the file contains the correct content:

验证文件包含正确的内容：

You’ll see your key printed on the screen:

您会在屏幕上看到密钥：

   

    Output
   
5d5367a5730427c205904a4457392051d2045dbce0186518fb6eb24dd9e41ba6 1000 1000

Then restart the nshd daemon to apply the changes:

然后重新启动nshd守护程序以应用更改：

Now let’s test it out by connecting to the server and running a command.

现在，通过连接到服务器并运行命令来对其进行测试。

第3步-向远程计算机发送命令并接收响应 (Step 3 — Sending a Command to the remote machine and receive a response)

In NKN Shell Client, enter your remote nshd address from Step 1, as well as an optional client identifier:

在“ nshd Shell客户端”中，输入步骤1中的远程nshd地址以及可选的客户端标识符：

Click Connect to initiate the connection.

单击连接以启动连接。

You’ll be connected to your remote machine and shown a terminal prompt within the browser. From here you can use it just like SSH. For example, execute the following command to switch to the /etc/nshd directory:

您将连接到远程计算机，并在浏览器中显示终端提示。 从这里可以像SSH一样使用它。 例如，执行以下命令以切换到/etc/nshd目录：

Then list its contents:

然后列出其内容：

You’ll see the contents of the directory:

您将看到目录的内容：

   

    Output
   
authorized_pubkeys  wallet.json  wallet.pswd

You can disconnect by typing exit. When you need to reconnect, revisit the web interface and enter your connection details. If you generate a new key pair, you’ll need to add the new public key to your server.

您可以通过键入exit断开连接。 当您需要重新连接时，请重新访问Web界面并输入连接详细信息。 如果生成新的密钥对，则需要将新的公共密钥添加到服务器。

结论 (Conclusion)

In this tutorial, you installed and configured nsh to securely and conveniently send commands to a remote machine. nsh is a great way to access your remote machines when you need to quickly run a command to get the latest status of a service or peek at some configuration settings. The application is based on NKN’s global public network, and it’s free to use so you can incorporate it into your own application or workflow today.

在本教程中，您安装并配置了nsh以安全方便地将命令发送到远程计算机。 当您需要快速运行命令以获取服务的最新状态或查看某些配置设置时，nsh是访问远程计算机的好方法。 该应用程序基于NKN的全球公共网络，它是免费使用的，因此您可以将其整合到自己的应用程序或工作流程中。

You can also explore nkn-tunnel which supports SSH or any other TCP based applications.

您也可以浏览nkn-tunnel ，它支持SSH或任何其他基于TCP的应用程序。

翻译自: https://www.digitalocean.com/community/tutorials/how-to-use-nsh-to-run-secure-remote-commands-on-ubuntu-18-04

.nsh 怎么样运行