SSH reverse tunnel

With autossh you can establish an SSH reverse tunnel from a given system, provided it can reach some other machine via SSH outside its own network. You can also do that with ssh alone, but autossh comes with added features that are worthwhile exploring and using.

Ubuntu 14.04 LTS and older (Upstart)

To use autossh with Upstart, you need two files: /etc/init/autossh.conf and /etc/init/autossh.override. The former is the main Upstart script, the latter is a file providing customizable settings for the former.

/etc/init/autossh.conf:

description "Establish persistent SSH tunnel"
start on local-filesystems and net-device-up IFACE=eth0 and started ssh
stop on [016]

respawn
respawn limit 5 60 # respawn max 5 times in 60 seconds
script
    # exec 2>>/tmp/autossh.log
    # set -x
    export AUTOSSH_POLL
    export AUTOSSH_FIRST_POLL
    export AUTOSSH_LOGFILE
    export AUTOSSH_LOGLEVEL
    export AUTOSSH_GATETIME
    sleep 5
    autossh -M $AUTOSSH_MONIPORT -- \
        -4Nngi $SSH_IDENTITY $SSH_OPTIONS \
        -o 'StrictHostKeyChecking=no' \
        -o 'UserKnownHostsFile=/dev/null' \
        -o 'PasswordAuthentication=no' \
        -o 'PubkeyAuthentication=yes' \
        -o 'ServerAliveInterval 60' \
        -o 'ServerAliveCountMax 3' \
        -o 'BatchMode=yes' \
        $SSH_CONNECTION_HOST
end script

If you ever run into trouble, uncomment the two commented out lines in the script and have a look at the /tmp/autossh.log afterward.

/etc/init/autossh.override:

setuid user
setgid usergroup
env SSH_CONNECTION_HOST=user@host.domain.tld
env SSH_IDENTITY=/home/user/.ssh/id_rsa
env SSH_OPTIONS="-R 10022:localhost:22"
env AUTOSSH_MONIPORT=10023
env AUTOSSH_POLL=60
env AUTOSSH_FIRST_POLL=30
env AUTOSSH_LOGFILE=/var/log/autossh.log
env AUTOSSH_LOGLEVEL=7
env AUTOSSH_GATETIME=0

Some remarks:

  • SSH_CONNECTION_HOST is the host to which you want to connect on the outside.
  • SSH_OPTIONS gives the arguments for ssh as started by autossh; here we forward port 22 from localhost (the machine running the Upstart script) to port 10022 at localhost for host.domain.tld
  • AUTOSSH_LOGFILE make sure this file is writable by user or usergroup

Use start autossh, stop autossh and restart autossh to control this Upstart service. If you decided to name your file differently, filename.conf means you need to pass filename as the service name.

Ubuntu 16.04 LTS and newer (systemd)

With the introduction of systemd to Ubuntu, we need to provide a unit file on these newer Ubuntu versions.

/etc/systemd/system/autossh.service:

[Unit]
Description=Establish persistent SSH tunnel
Requires=ssh.service
Wants=network-online.target
After=network-online.target

[Service]
User=user
Group=usergroup
Environment=AUTOSSH_POLL=60 AUTOSSH_FIRST_POLL=30 AUTOSSH_LOGFILE=/var/log/autossh.log AUTOSSH_LOGLEVEL=7 AUTOSSH_GATETIME=0
ExecStart=/usr/bin/autossh -M 10023 -- -4Nngi /home/user/.ssh/id_rsa -R 10022:localhost:22 -o 'StrictHostKeyChecking=no' -o 'UserKnownHostsFile=/dev/null' -o 'PasswordAuthentication=no' -o 'PubkeyAuthentication=yes' -o 'ServerAliveInterval 60' -o 'ServerAliveCountMax 3' -o 'BatchMode=yes' user@host.domain.tld
RestartSec=6
Restart=always

[Install]
WantedBy=multi-user.target

This unit file combines the settings from what was the .override in Upstart directly into the unit. If you wanted to separate most of the settings out, you could use the EnvironmentFile stanza with the respective file containing variable assignments.

To have systemd re-read its unit files, run systemctl daemon-reload. To verify the status (also after starting), run systemctl status autossh.service. To start or restart the service, run systemctl restart autossh.service. And last but not least to enable the service to start at boot time, run systemctl enable autossh.service.

// Oliver

PS: beware of the -f switch of autossh. Neither Upstart nor systemd like them particularly. In case you decide to use them you need to let these init systems know how many times a fork() happens, so that it can figure out the PID of the resulting daemon process.

This entry was posted in Administration, EN, Linux, Software, Unix and unixoid. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *