Below the steps for ensuring port forwardings are up from an OpenSuSE system to an ssh server using autossh on the client system.
Autossh
Many have written about the benefits of autossh, so I can’t do better than that. A good abbreviated quote is from [WayBack] Autossh for persistent database connectivity – Compose Articles:
Autossh wraps SSH in an application which was designed to monitor the state of the connection. It will also restart SSH if it exits. The idea of the monitoring is that If it sees the packets aren’t going through, it would also restart SSH. …
the developers of OpenSSH added some options – ServerAliveInterval and ServerAliveCountMax – which activate built in connection checking in OpenSSH. Together the options set checking at a set interval and exiting SSH if the count maximum is exceeded. And when SSH exits, autossh will restart it so it serves as much improved replacement as there’s no extra ports needed.
Summary
The scenario is that a client user named autoSshClientUser automatically logs on to a server as user autosshServerUser using autossh from the client system.
The sequence is to first test this manually from the client system using a regular ssh command, then manually with the autossh command from the client system, then automate the starting (and keep alive) of the autossh instance from the client system.
Start configuring the server side first:
- Create a user specific for logon (below it is
autosshServerUser).
- Limit the user to only allow only port forwarding: [WayBack] security – How to create a restricted SSH user for port forwarding? – Ask Ubuntu
Then finish confiruging the client side:
- Install autossh:
zypper install autossh
- Ensure
autoSshClientUser has an ssh key that does not require a password
- Transfer the public key to
autosshServerUser on the remote system
- Test with an
autossh command that suits your situation best
- Ensure
autoSshClientUser runs a job at or shortly after system boot (after the network is up) that will start autossh with the correct parameters
If the autoSshClientUser is root, then you could use a service to start autossh, but be sure that service depends on a functioning network connection.
If the autoSshClientUser is not root, then usually a user based cron job works best.
Naming idea:
- Assume the client system is
Train and the server is Station
- The server user could be
autosshTrainAtStation
- The client user could be
autosshTrainToStation
Server side
- [Archive.is] Installing on other OSes (Debian / Ubuntu; Debian / Ubuntu; CentOS / Fedora / RHEL; ArchLinux; FreeBSD; OSX)
- As
root, add he user using [Archive.is]useradd:
- First line of defense is to ensure it cannot logon interactively (
--shell /bin/false)
- Second line of defines is to ensure it has no password, hence the missing
-p or --password
- The user does need a home directory to configure ssh options (like key) in configuration files.
- On Debian based operating systems – including Ubuntu – you can also use
adduser: [WayBack] debian – What does adduser do that useradd doesn’t? – Unix & Linux Stack Exchange)
# useradd --create-home --shell /bin/false autosshServerUser
- As
root use su to become autosshServerUser, then create an ssh key without a password (you need to specify the logon shell) using [WayBack] ssh-keygen.
This generates bot a secure rsa and
# su --shell /bin/bash autosshServerUser
> cd ~
> whoami
autosshServerUser
> rm -f ~/.ssh/id_rsa ~/.ssh/id_rsa.pub
> ssh-keygen -t rsa -b 4096 -o -a 100 -f ~/.ssh/id_rsa -N ''
Generating public/private rsa key pair.
Your identification has been saved in /home/autosshServerUser/.ssh/id_rsa.
Your public key has been saved in /home/autosshServerUser/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:... autossh24@linux
The key's randomart image is:
+---[RSA 2048]----+
...
+----[SHA256]-----+
> rm -f ~/.ssh/id_ed25519 ~/.ssh/id_ed25519.pub
> ssh-keygen -t ed25519 -o -a 100 -f ~/.ssh/id_ed25519 -N ''
Generating public/private ed25519 key pair.
Your identification has been saved in /home/autossh24/.ssh/id_ed25519.
Your public key has been saved in /home/autossh24/.ssh/id_ed25519.pub.
The key fingerprint is:
SHA256:... autossh24@linux
The key's randomart image is:
+--[ED25519 256]--+
...
+----[SHA256]-----+
Client side
I need to check the below links on killing autossh (including the underlying ssh based connection), as you need to use the kill or pkill parameters signals -3 (SIGQUIT), not -9 (SIGKILL) as explained in [WayBack] ssh – How to stop/kill an autossh tunnel? – Super User (thanks mariusmatutiae and dviljoen).
Monitoring the state of the ssh connection needs some parameters (like ClientAliveInterval and ClientAliveCountMax). A good start on that is [WayBack] networking – autossh does not kill ssh when link down – Server Fault.
Setting up a service so root automatically logs on a remote system:
With non-root, it might actually be possible to do this as a service too given there is a user= parameter in service files:
Though as non-root, most people seem to use cron [WayBack] ssh – Problems with Autossh: running from cron vs terminal – Super User
Please do not use /etc/init.d/after.local as mentioned often (for instance in [WayBack] TUMBLEWEED run a script a boot): this mechanism has been deprecated and won’t work on more recent systems (like 2012 and younger: [WayBack] openSUSE Forums – systemd and using the after.local script in openSUSE 12.1). The same holds for /etc/init.d/boot.local: don’t use, even though many people indicate it works, for instance [WayBack] Run a command at boot.
An interesting approach is at [WayBack] Autossh Startup Script for Multiple Tunnels | Surnia Ulula, though I will stick with what’s below.
Read:
Downloads:
References
Most of the above comes from these links:
–jeroen
Continuation of:
Read the rest of this entry »
Today it’s the 40th birthday of UDP. Or more precise: 40 years after [WayBack] RFC 768 – User Datagram Protocol got submitted.
The Wiert Corner - irregular stream of stuff 