sshc-operations
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
Chinesesshc Operations
sshc 操作
Use this skill to execute sshc-rs tasks safely and predictably.
使用该技能可安全且可预测地执行sshc-rs相关任务。
Intent Routing (First Decision)
意图路由(首要决策项)
- Discover available hosts/groups: (or
sshc list).sshc l - Open SSH shell on one host: (or plain
sshc c <name>for interactive picker).sshc - Open SFTP/FileZilla workflow: (or plain
sshc f <name>for interactive picker).sshc f - Run non-interactive command and collect output: .
sshc run <target> -- <cmd> - Run interactive/full-screen program (,
vim,top, REPL):less.sshc tty <name> -- <cmd> - Upload/download files or directories: /
sshc up ....sshc down ... - Manage saved hosts/groups: .
sshc config ... - Script/JSON integration: only when machine-readable output is required.
sshc api ... - Diagnose environment/network/config: .
sshc doctor [name] - Migrate config between machines: /
sshc export.sshc import
- 查看可用主机/主机组:(或
sshc list)。sshc l - 在单台主机上打开SSH shell:(或直接输入
sshc c <name>唤起交互式选择器)。sshc - 打开SFTP/FileZilla工作流:(或直接输入
sshc f <name>唤起交互式选择器)。sshc f - 运行非交互式命令并收集输出:。
sshc run <target> -- <cmd> - 运行交互式/全屏程序(、
vim、top、REPL):less。sshc tty <name> -- <cmd> - 上传/下载文件或目录:/
sshc up ...。sshc down ... - 管理已保存的主机/主机组:。
sshc config ... - 脚本/JSON集成:仅当需要机器可读的输出时使用。
sshc api ... - 诊断环境/网络/配置问题:。
sshc doctor [name] - 在多台机器间迁移配置:/
sshc export。sshc import
CRITICAL: Privilege Escalation with sudo
重要提示:使用sudo提权
Many remote operations require elevated privileges. You MUST automatically detect when a command needs sudo and use the subcommand — never use bare inside the remote command string.
sudosudo很多远程操作需要提升权限。你必须自动识别命令何时需要sudo,并使用子命令——绝对不要在远程命令字符串内直接使用裸。
sudosudoWhen to use sudo
何时使用sudo
Use or when the remote command involves ANY of the following:
sshc run sudosshc tty sudo- Service management: ,
systemctl start|stop|restart|reload|enable|disable <service>service <name> start|stop|restart - Package management: ,
apt install|remove|update|upgrade,yum install|remove,dnf install|removepacman -S|-R - System configuration: editing files under ,
/etc/,/sys/, running/proc/,sysctlhostnamectl - File operations on protected paths: reading/writing ,
/var/log/,/opt/,/usr/local//root/ - User/group management: ,
useradd,usermod,groupaddpasswd - Network configuration: ,
iptables,ip route,ip link,firewall-cmdufw - Disk/filesystem operations: ,
mount,umount,fdisk,mkfsfsck - System control: ,
reboot,shutdown,poweroffinit - Docker/container operations: (when Docker requires root),
docker ...systemctl restart docker - Permission changes: ,
chmodon system-owned fileschown - Any command that would fail with "Permission denied" without root
当远程命令涉及以下任意场景时,使用或:
sshc run sudosshc tty sudo- 服务管理:、
systemctl start|stop|restart|reload|enable|disable <service>service <name> start|stop|restart - 包管理:、
apt install|remove|update|upgrade、yum install|remove、dnf install|removepacman -S|-R - 系统配置:编辑、
/etc/、/sys/路径下的文件,运行/proc/、sysctlhostnamectl - 受保护路径的文件操作:读写、
/var/log/、/opt/、/usr/local/路径下的内容/root/ - 用户/用户组管理:、
useradd、usermod、groupaddpasswd - 网络配置:、
iptables、ip route、ip link、firewall-cmdufw - 磁盘/文件系统操作:、
mount、umount、fdisk、mkfsfsck - 系统控制:、
reboot、shutdown、poweroffinit - Docker/容器操作:(当Docker需要root权限时)、
docker ...systemctl restart docker - 权限修改:对系统所属文件执行、
chmodchown - 任何非root用户执行会报“Permission denied”错误的命令
Syntax
语法
sudorunttybash
undefinedsudorunttybash
undefinedCorrect — sudo as subcommand
Correct — sudo as subcommand
sshc run sudo prod -- systemctl restart nginx
sshc run sudo @backend -p -- apt update
sshc tty sudo prod -- vim /etc/nginx/nginx.conf
sshc run sudo prod -- systemctl restart nginx
sshc run sudo @backend -p -- apt update
sshc tty sudo prod -- vim /etc/nginx/nginx.conf
WRONG — never do this
WRONG — never do this
sshc run prod -- sudo systemctl restart nginx # ← will NOT work
sshc run prod -- systemctl restart nginx # ← will fail with permission denied
undefinedsshc run prod -- sudo systemctl restart nginx # ← will NOT work
sshc run prod -- systemctl restart nginx # ← will fail with permission denied
undefinedDecision rule
决策规则
Before constructing any or command, ask yourself: "Would this command fail with 'Permission denied' if executed as a non-root user?" If yes, insert as the subcommand:
sshc runsshc ttysudo- Without sudo:
sshc run <target> -- <cmd> - With sudo:
sshc run sudo <target> -- <cmd> - Without sudo:
sshc tty <name> -- <cmd> - With sudo:
sshc tty sudo <name> -- <cmd>
在构造任何或命令前,先问自己:“如果以非root用户执行这个命令,会不会报‘Permission denied’错误?” 如果答案是是,就插入作为子命令:
sshc runsshc ttysudo- 无需sudo:
sshc run <target> -- <cmd> - 需要sudo:
sshc run sudo <target> -- <cmd> - 无需sudo:
sshc tty <name> -- <cmd> - 需要sudo:
sshc tty sudo <name> -- <cmd>
Commands that do NOT need sudo
无需使用sudo的命令
- Reading public info: ,
uname -a,hostname,date,uptime,whoamiid - Listing files you own: ,
lson user-accessible filescat - Checking service status (read-only):
systemctl status <service> --no-pager - Disk usage (read-only): ,
df -h,free -m,tophtop - User's own processes: ,
ps auxpgrep
- 读取公开信息:、
uname -a、hostname、date、uptime、whoamiid - 列出你拥有权限的文件:对用户可访问的文件执行、
lscat - 查看服务状态(只读):
systemctl status <service> --no-pager - 磁盘使用情况(只读):、
df -h、free -m、tophtop - 用户自身的进程:、
ps auxpgrep
Default Workflow
默认工作流
- Confirm user goal: connect, command execution, transfer, config change, diagnosis, or migration.
- Select the narrowest command for that goal.
- For target discovery, default to (never
sshc listby default).api/config - Execute directly once target is clear.
- Show the exact command before destructive operations.
- 确认用户目标:连接、命令执行、文件传输、配置修改、诊断还是配置迁移。
- 选择最匹配该目标的命令。
- 如需查找目标,默认使用(默认不要使用
sshc list)。api/config - 目标明确后直接执行。
- 执行破坏性操作前展示确切的命令。
Command Semantics (From Runtime Behavior)
命令语义(基于运行时行为)
- target supports:
run- Exact host name:
prod - Group:
@backend - All hosts: or
all* - Fuzzy match: substring against host key or display name
- Exact host name:
- target supports only exact single host name. It rejects
tty,@group,all, and fuzzy names.* - defaults to serial; add
runfor parallel execution.-p/--parallel - and
run sudoare subcommands that wrap the remote command with privilege escalation (passwordless sudo first, then falls back to saved server password). See Privilege Escalation with sudo section above for when to use them.tty sudo
- 命令的目标支持:
run- 精确主机名:
prod - 主机组:
@backend - 所有主机:或
all* - 模糊匹配:与主机key或显示名称的子串匹配
- 精确主机名:
- 命令的目标仅支持精确的单主机名。不支持
tty、@group、all和模糊名称。* - 命令默认为串行执行;添加
run参数可并行执行。-p/--parallel - 和
run sudo是为远程命令封装了提权逻辑的子命令(优先使用无密码sudo,失败后回退到已保存的服务器密码)。何时使用请参考上文使用sudo提权章节。tty sudo
Syntax Guardrails
语法约束
- Prefer explicit separator: and
sshc run <target> -- <command ...>.sshc tty <name> -- <command ...> - For command-like user requests ("看时间", "查磁盘", "重启服务"), execute directly via , not via config inspection.
sshc run ... - Transfer syntax:
- Upload:
sshc up <local_path> <server:remote_path> - Download:
sshc down <server:remote_path> <local_path>
- Upload:
- Config lifecycle:
- Add/Edit/Show/Remove:
sshc config add|edit|show|remove ... - Group operations:
sshc config group list|add|rename|remove ...
- Add/Edit/Show/Remove:
- JSON automation only:
sshc api list|get|set|rm
- 优先使用明确的分隔符:和
sshc run <target> -- <command ...>。sshc tty <name> -- <command ...> - 对于类命令的用户请求(“看时间”、“查磁盘”、“重启服务”),直接通过执行,不要先检查配置。
sshc run ... - 传输语法:
- 上传:
sshc up <local_path> <server:remote_path> - 下载:
sshc down <server:remote_path> <local_path>
- 上传:
- 配置生命周期操作:
- 添加/编辑/查看/删除:
sshc config add|edit|show|remove ... - 主机组操作:
sshc config group list|add|rename|remove ...
- 添加/编辑/查看/删除:
- 仅用于JSON自动化场景:
sshc api list|get|set|rm
Discovery and Preflight Policy
发现和预检策略
- When user asks to run a remote command (for example, "看看 nas 的时间"), do not preflight with or
sshc config show.sshc api list - Use only if target naming is uncertain.
sshc list - Then execute directly with .
sshc run <target> -- <cmd> - Example: then
sshc list.sshc run nas -- date
- 当用户要求运行远程命令时(例如“看看nas的时间”),不要先执行或
sshc config show做预检。sshc api list - 仅当目标名称不明确时使用。
sshc list - 之后直接执行。
sshc run <target> -- <cmd> - 示例:先执行,再执行
sshc list。sshc run nas -- date
Safe Defaults
安全默认配置
- Prefer (prompted password) over
-Pto avoid shell history leakage.--password - Avoid exposing secrets from , import/export payloads, or config fields.
api get - Use serial execution for risky operations (service restart, file mutation, package changes).
- Use only for idempotent and low-blast-radius tasks (read-only checks, status collection).
-p/--parallel - For potentially destructive remote commands, ask for confirmation and target scope first.
- 优先使用(提示输入密码)而非
-P,避免shell历史泄露密码。--password - 避免暴露、导入/导出 payload 或配置字段中的敏感信息。
api get - 对风险操作(服务重启、文件修改、包变更)使用串行执行。
- 仅对幂等、影响范围小的任务(只读检查、状态收集)使用并行执行。
-p/--parallel - 对于可能有破坏性的远程命令,先确认用户意图和目标范围再执行。
Troubleshooting Order
排查顺序
- Verify command syntax: or subcommand
sshc --help.--help - Validate target names with .
sshc list - Run (or
sshc doctor) for environment and reachability.sshc doctor <name> - Retry with the smallest reproducer command (single host, simple command).
- Use only for config debugging.
sshc config show <name> - Use only when JSON inspection is explicitly required.
sshc api get <name>
- 验证命令语法:执行或子命令加
sshc --help查看。--help - 执行验证目标名称是否正确。
sshc list - 运行(或
sshc doctor)检查环境和连通性。sshc doctor <name> - 用最小可复现命令重试(单主机、简单命令)。
- 仅在调试配置问题时使用。
sshc config show <name> - 仅在明确要求JSON格式排查时使用。
sshc api get <name>
References
参考资料
Read references/command-recipes.md for detailed syntax and ready-to-run examples.
阅读 references/command-recipes.md 查看详细语法和可直接运行的示例。