autossh on Windows from a service: automatically starting a tunnel no matter anyone being logged on
Posted by jpluimers on 2021/08/09
There is an autossh binary for Windows available on GitHub: [WayBack] GitHub – jazzl0ver/autossh: Windows binary for autossh v1.4c.
Combined with NSSM (which for instance you can install through [WayBack] Chocolatey Software | NSSM – the Non-Sucking Service Manager) you can not only automatically build and maintain an SSH connection, but also ensure the autossh process is up and running as a service without the need for an active logon.
This allows for SSH based tunnels from and to your Windows system.
For this usage scenario, there is no need for these tools any more:
- MyEnTunnel, now unmaintained WayBack: N2 – MyEnTunnel – A background SSH tunnel daemon
- [WayBack] PuTTY Tray (now unmaintained)
- [WayBack] Persistent SSH tunnel manager documentation (license needed)
- Not persistent (some via [WayBack] Automatic SSH tunneling from Windows – Super User):
- [WayBack] SSH Tunnel
- [WayBack] How to use Windows 10’s built-in OpenSSH to automatically SSH into a remote Linux machine – Scott Hanselman
- [WayBack] Windows 10 SSH vs. PuTTY: Time to Switch Your Remote Access Client?
- [WayBack] Putty: Automatically start an SSH tunnel without a window (headless) – Christosoft Blog
Future research:
- [WayBack] Using SSH to connect to GitHub – Ken Bonny’s Blog (as it mentions OpenSSH Authentication Agent, but I need to figure out if this survives a reboot)
- [WayBack] Bitvise SSH Client | Bitvise (should be able to reconnect; not clear if it requires a license to be installed)
- Still possible, but requires the cygwin suite: [Archive.is] Persistent SSH tunnel for Windows – Technicus
One time steps
These are in part based on:
- [WayBack] Creating persistent SSH tunnels in Windows using autossh | boltblog (which is Cygwin based)
- [WayBack] Persistent reverse (NAT bypassing) SSH tunnel access with autossh – Raymii.org
- [WayBack/Archive.is] SSH tunnelling for fun and profit: Autossh
1. Download autoSSH
Download the most recent [WayBack] Releases · jazzl0ver/autossh · GitHub (see below for updates).
I used the 1.4g version: [WayBack] autossh.exe, then put on my Windows PATH.
2. Install NSSM
Since it is on chocolatey ([WayBack] Chocolatey Software | NSSM – the Non-Sucking Service Manager 2.24.101.20180116), this will suffice:
choco install --yes nssm
3 .Prepare remote computer so it allows enough SSH retries
Check the value of MaxAuthTries in /etc/ssh/sshd_config.
# grep MaxAuthTries /etc/ssh/sshd_configMaxAuthTries 1
The value needs to be at least 3 or higher for ssh-copy-id to work properly.
When changing the value, be sure to restart the sshd daemon.
Without a low value of
MaxAuthTriesin/etc/ssh/sshd_config,ssh-copy-idwill give an errorERROR: Received disconnect from myRemoteComputer port 2222:2: Too many authentication failures.See also these link via [WayBack ]“INFO: attempting to log in with the new key(s), to filter out any that are already installed” “Too many authentication failures” – Google Search:
4. Temporarily allow the remote account to perform interctive logon
Temporarily change the user shell to /bin/bash to allow [WayBack] ssh-copy-id to work at all.
This is explained in more detail by [WayBack] shell – ssh dissable login, but allow copy-id – Server Fault.
5. Generate public and private key pairs
You need an ssh public and private key, then transfer this to your Windows client. You can for instance use these as a base:
- [WayBack] Persistent reverse (NAT bypassing) SSH tunnel access with autossh – Raymii.org
- [WayBack] OpenSSH: Key generation
- 🔎Julia Evans🔍 on Twitter: “ssh tips… “
- OpenSSH keygen guidelines
For instance (where myLocalUser is the local user generate the key-pair for for, and myRemoteUser plus myRemoteComputer is the remote user and computer you want to autossh to):
ssh-keygen -t rsa -b 4096 -f %UserProfile%\.ssh\id_rsa_myLocalUser@%ComputerName%_autossh_myRemoteUser@myRemoteComputerssh-keygen -t ed25519 -f %UserProfile%\.ssh\id_ed25519_myLocalUser@%ComputerName%_autossh_myRemoteUser@myRemoteComputer
6. install git (for ssh-copy-id and bash)
Since git includes ssh-copy-id (which you need in the next step, it is at %Program Files%\Git\usr\bin\ssh-copy-id) and git is on chocolatey ([WayBack] Chocolatey Software | Git (Install) 2.23.0):
choco install --yes git.install --params "/GitAndUnixToolsOnPath /NoGitLfs /SChannel /NoAutoCrlf /WindowsTerminal"
7. Copy the public parts of the generated key pairs to the remote account on the remote machine
Use bash with ssh-copy-id to transfer the generated public keys to a remote system (replace 2222 with the SSH port number on the remote computer; often it is just 22):
pushd %UserProfile%\.ssh bash -c "ssh-copy-id -i %UserProfile%\.ssh\id_rsa_myLocalUser@%ComputerName%_autossh_myRemoteUser@myRemoteComputer -p 2222 myRemoteUser@myRemoteComputer" bash -c "ssh-copy-id -i %UserProfile%\.ssh\id_ed25519_myLocalUser_%ComputerName%_autossh_myRemoteUser@myRemoteComputer -p 2222 myRemoteUser@myRemoteComputer" popd
This sounds overly complicated, but is the only way to incorporate the environment variables.
8. Test with ssh, then with autossh
These two ssh commands should succeed; choose the one for which you prefer the rsa or ed25519 algorithm.
ssh -i %UserProfile%\.ssh\id_rsa_myLocalUser@%ComputerName%_autossh_myRemoteUser@myRemoteComputer -p 2222 myRemoteUser@myRemoteComputerssh -i %UserProfile%\.ssh\id_ed25519_myLocalUser_%ComputerName%_autossh_myRemoteUser@myRemoteComputer -p 2222 myRemoteUser@myRemoteComputer
After this, try with autossh:
autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -i %UserProfile%\.ssh\id_rsa_myLocalUser@%ComputerName%_autossh_myRemoteUser@myRemoteComputer -p 2222 myRemoteUser@myRemoteComputerautossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -i %UserProfile%\.ssh\id_ed25519_myLocalUser_%ComputerName%_autossh_myRemoteUser@myRemoteComputer -p 2222 myRemoteUser@myRemoteComputer
This disables the autossh port monitoring (the -M 0 option, but uses a combination of interval/count-max from ssh itself to monitor the connection (the -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" options).
Note that there is no default monitoring port, as it can be any one: [WayBack] linux – What is the default monitoring port for autossh? – Super User
9. Install autossh as a service
a
Steps
- a
- b
- c
- d
- e
SSH logon
Depending on which algorithm you like most, use either of the below 2 (replace 2222 with the SSH port number on the remote computer; often it is just 22):
ssh -i %UserProfile%\.ssh\id_rsa_myLocalUser@%ComputerName%_autossh_myRemoteUser@myRemoteComputer -p 2222 myRemoteUser@myRemoteComputerssh -i %UserProfile%\.ssh\id_ed25519_myLocalUser_%ComputerName%_autossh_myRemoteUser@myRemoteComputer -p 2222 myRemoteUser@myRemoteComputer
C:\Users\jeroenp>ssh-keygen -t ed25519 -f %UserProfile%\.ssh\id_ed25519_myUser_%ComputerName%_autossh_revue Generating public/private ed25519 key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in C:\Users\jeroenp\.ssh\id_ed25519_myUser_D10U003_autossh_revue. Your public key has been saved in C:\Users\jeroenp\.ssh\id_ed25519_myUser_D10U003_autossh_revue.pub. The key fingerprint is: SHA256:6qjzXhQtZpTzU6aryHMYuwVs5b4a/2COKxFGFQj0Eg4 jeroenp@D10U003 The key's randomart image is: +--[ED25519 256]--+ |E+ oo... | |o = .o. o | | + . *o.+ | | +. = o+ | | . .+ o So | | ...+ .. | | o.=B. | | o *@oo | | .*O*=.. | +----[SHA256]-----+ C:\Users\jeroenp>ssh-keygen -t rsa -b 4096 -f %UserProfile%\.ssh\id_rsa_myUser_%ComputerName%_autossh_revue Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in C:\Users\jeroenp\.ssh\id_rsa_myUser_D10U003_autossh_revue. Your public key has been saved in C:\Users\jeroenp\.ssh\id_rsa_myUser_D10U003_autossh_revue.pub. The key fingerprint is: SHA256:WaWRoAnr4OuXAnc+MekpbdnNto71SgdMykp7XqylQr8 jeroenp@D10U003 The key's randomart image is: +---[RSA 4096]----+ | . ..... | | o o .+ | | . . o . o | | . o . + o | | . o.o S | |. .o*o . . | | o.*oO.o* . | | .o %ooO+o | | .= oE++o. | +----[SHA256]-----+
NSSM
NSSM is really cool to run any application as a service: [WayBack] NSSM – the Non-Sucking Service Manager
nssm is a service helper which doesn’t suck. srvany and other service helper programs suck because they don’t handle failure of the application running as a service. If you use such a program you may see a service listed as started when in fact the application has died. nssm monitors the running service and will restart it if it dies. With nssm you know that if a service says it’s running, it really is. Alternatively, if your application is well-behaved you can configure nssm to absolve all responsibility for restarting it and let Windows take care of recovery actions.
nssm logs its progress to the system Event Log so you can get some idea of why an application isn’t behaving as it should.
nssm also features a graphical service installation and removal facility. Prior to version 2.19 it did suck. Now it’s quite a bit better.
After installing, everything is command-line based (I cut away some blank lines for readability):
C:\bin\bin>nssm --help NSSM: The non-sucking service manager Version 2.24-101-g897c7ad 64-bit, 2017-04-26 Usage: nssm [ ...] To show service installation GUI: nssm install [] To install a service without confirmation: nssm install [ ...] To show service editing GUI: nssm edit To retrieve or edit service parameters directly: nssm dump nssm get [] nssm set [] nssm reset [] To show service removal GUI: nssm remove [] To remove a service without confirmation: nssm remove confirm To manage a service: nssm start nssm stop nssm restart nssm status nssm statuscode nssm rotate nssm processes
Windows binary autossh version
If it is behind on [WayBack] autossh (see version history at [WayBack] autossh/CHANGES.txt), then just ask for a new version; usually it gets built and released quickly: [WayBack] Any plans for 1.4g? · Issue #3 · jazzl0ver/autossh · GitHub
[WayBack] Releases · jazzl0ver/autossh · GitHub at the time of writing:
- [WayBack] Release 1.4c · jazzl0ver/autossh · GitHub
- [WayBack] autossh.exe 116 KB
- [WayBack] Source code(zip)
- [WayBack] Source code(tar.gz)
- [WayBack] Release 1.4e · jazzl0ver/autossh · GitHub
- [WayBack] autossh.exe 116 KB
- [WayBack] Source code(zip)
- [WayBack] Source code(tar.gz)
- [WayBack] Release 1.4g · jazzl0ver/autossh · GitHub
- [WayBack] autossh.exe 232 KB
- [WayBack] Source code(zip)
- [WayBack] Source code(tar.gz)
–jeroen
The Wiert Corner - irregular stream of stuff 
Leave a Reply