Session Multiplexing

emacs /etc/ssh/ssh_config
emacs ~/.ssh/config
Host *
ControlMaster auto
ControlPath   ~/.ssh/master-%r@%h:%p
ControlPersist 10m






$netstat -navp tcp | grep 22

tcp4 0 0 192.168...60603 47.91...22 ESTABLISHED 131072 131768 79974 0

$ps -ef|grep ssh|grep -v grep

501 79974 79973 0 8:34下午 ttys003 0:00.08 ssh root@47.91.. -p 22

501 80150 80149 0 8:34下午 ttys004 0:00.01 ssh root@47.91.. -p 22

multiplexing的实现,显然减少了多重连接建立的开销,因为每台机器可接受的连接数有限,所以在跳板机这类应用中(虽然很多公司的堡垒机不是单机应用),可显著的降低成本;而另一个好处是,对于客户端来讲,由于可以复用ssh连接,因此新的会话不需要重复建立TCP连接, 进行认证授权这一过程,克隆远程对话的成本与耗时都显著下降,从而提升了工作的效率



ControlMaster Enables the sharing of multiple sessions over a single network connection. When set to yes, ssh(1) will listen for connections on a control socket specified using the ControlPath argument. Additional sessions can connect to this socket using the same ControlPath with ControlMaster set to no (the default). These sessions will try to reuse the master instance’s network connection rather than initiating new ones, but will fall back to connecting normally if the control socket does not exist, or is not listening.

Setting this to ask will cause ssh(1) to listen for control connections, but require confirmation using ssh-askpass(1). If the ControlPath cannot be opened, ssh(1) will continue without connecting to a master instance.

X11 and ssh-agent(1) forwarding is supported over these multiplexed connections, however the display and agent forwarded will be the one belonging to the master connection i.e. it is not possible to forward multiple displays or agents.

Two additional options allow for opportunistic multiplexing: try to use a master connection but fall back to creating a new one if one does not already exist. These options are: auto and autoask. The latter requires confirmation like the ask option.

ControlMaster 用来管理是否启用multiplexing,有2个可选参数: auto与autoask,前者会在没有socket文件时自动创建一个,后者在开启新的会话时会要求输入密码

ControlPath Specify the path to the control socket used for connection sharing as described in the ControlMaster section above or the string none to disable connection sharing. Arguments to ControlPath may use the tilde syntax to refer to a user’s home directory or the tokens described in the TOKENS section. It is recommended that any ControlPath used for opportunistic connection sharing include at least %h, %p, and %r (or alternatively %C) and be placed in a directory that is not writable by other users. This ensures that shared connections are uniquely identified.

ControlPath 用来指定muliplexing共用socket文件的路径,path支持~来表示home目录,也支持TOKENS:%%, %C, %h, %i, %L, %l, %n, %p, %r, and %u. ControlPath应该尽量保证其他用户对socket文件没有写权限

%% A literal ‘%'.

%C Shorthand for %l%h%p%r.

%h The remote hostname.

%i The local user ID.

%L The local hostname.

%l The local hostname, including the domain name.

%n The original remote hostname, as given on the command line.

%p The remote port.

%r The remote username.

%u The local username.

ControlPersist When used in conjunction with ControlMaster, specifies that the master connection should remain open in the background (waiting for future client connections) after the initial client connection has been closed. If set to no, then the master connection will not be placed into the background, and will close as soon as the initial client connection is closed. If set to yes or 0, then the master connection will remain in the background indefinitely (until killed or closed via a mechanism such as the “ssh -O exit”). If set to a time in seconds, or a time in any of the formats documented in sshd_config(5), then the backgrounded master connection will automatically terminate after it has remained idle (with no client connections) for the specified time.



Host *

ControlMaster auto

ControlPath ~/.ssh/ssh-%r@%h

ControlPersist yes


$ls -l

srw— 1 chason wheel 0 1 1 12:52 ssh-root@47.91..

$file ssh-root@47.91..

ssh-root@47.91..: socket



$ ssh -O check root@47.91..

Master running (pid=91057)


$ ssh -O stop root@47.91..

Stop listening request sent.


$ ssh -O exit root@47.91..

Exit request sent.