Mastering SSH Public‑Key Login for Batch Server Operations

Requirement

In daily work we often need to run the same command on many servers, such as comparing logs or checking services, so batch operation capability is required.

SSH Protocol Overview

SSH (Secure Shell) is an encrypted network protocol implemented by OpenSSH. It works over TCP and uses asymmetric encryption similar to HTTPS, but server identity is verified via a known_hosts fingerprint rather than a certificate authority.

When connecting to a server for the first time, SSH asks to verify the server’s public‑key fingerprint and stores it in ~/.ssh/known_hosts for subsequent logins.

Connection Process

The connection consists of TCP three‑way handshake, SSH version negotiation, public‑key exchange, cipher and MAC negotiation, symmetric‑key authentication, and finally secure data exchange.

Network capture with tcpdump and Wireshark can illustrate these steps.

SSH Command‑Line Tool

The ssh client connects to an sshd server (default port 22). Basic usage is ssh user@host, after which a password is prompted unless public‑key authentication is configured.

Full option list (excerpt):

ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] ... [user@]hostname [command]

Public‑Key Login

Generate a key pair with ssh-keygen. Example session:

~ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/zbs/.ssh/id_rsa): ./test
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ./test.
Your public key has been saved in ./test.pub.
SHA256:xxxxx/B17z/xxxxxx [email protected]
+---[RSA 2048]----+
|    o+*.. EO*    |
|   ....          |
|    oo+    .o++.o|
+----[SHA256]-----+

Copy the private key ( ./test) to the client’s ~/.ssh/id_rsa and append the public key ( ./test.pub) to the server’s ~/.ssh/authorized_keys. Subsequent logins use the private key automatically, eliminating password prompts.

Batch Operations with SSH

Because authentication no longer blocks for a password, the ssh user@host command form can run a command on a remote host in a single process. Looping over an IP list in a shell for loop enables execution on many servers.

Existing tools such as pssh (Python) or hss (C++) provide parallel execution.

Collecting Files from Multiple Servers

Use scp, which shares the SSH protocol, to copy files securely. Example: scp src dst, where remote paths are user@host:/path. To avoid filename collisions, generate a UUID on each host:

uuidgen | xargs -I {} scp result.log root@ip:/result/{}

Then concatenate the files on a central machine.

When servers do not share keys, nc can relay data. The -k option keeps the listener open after a transfer:

nc -k -4l port > result.log   # server side
grep xxx info.log | nc ip port   # client side

Conclusion

The described commands are lightweight tools for developers and sysadmins. For full‑scale automation, an operations platform should integrate these capabilities.