Re: ssh -R

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



tony.chamberlain@xxxxxxxxx wrote:
The following is for CentOS 4.5

...

which gets me into my machine.  Test passes.  Problem is, by
the time I get home, my ssh -l root -R 10022:127.0.0.1:22 10.20.30.40
has timed out
...

This is what autossh is for. Previous advice is good about settings, and here is why, and a complete solution:

The ssh server process by default controls the connection process. It determines longevity and termination requirements. As said, this is the default behavior.

You can modify the CLIENT to control the connection instead. The client can demand longer timeouts, and it can ask for a periodic 'check' to see if its still connected. These are the settings mentioned in the previous messages.

But that may not be enough, especially when tunneling. autossh is specifically designed to 'enhance' the process of tunneling. One thing that can be easily managed with autossh is a tunnel to a port on localhost of the server, thus avoiding port scanners and other unauthorized intrusions.

Here is how we do it, top to bottom:

Our objective was to provide ssh access to any remote server, on a truck via Cell card, or a fixed location via phone or private LAN.

A corporate server needs a sshd running to be the intermediary in this example. The corporate server need to expose a port for the ssh daemon -- does not need to be 22, but we will assume 22 for this example.

Create a rsh key and make sure that the account on the client and the account on the corp server to be used, share the same authorized_keys

The account on the corp server can be locked, but the ssh key needs to be available.

On the remote system:

edit /etc/ssh/ssh_config and add these two lines:
ServerAliveCountMax 10
ServerAliveInterval 30

start a tunnel to the corp server -- we made a startup script: /etc/init.d/autossh

autossh -M 0 -f user@xxxxxxxxxxxxxx -R 2222:localhost:22 -nN

This starts a tunnel on the corpserver listening on port 2222 of the localhost interface. The combination of the client settings and autossh will keep this connection alive as long as the client is up. We use a different port number for each remote client. Since the ports appear only on localhost, they cannot be port scanned from the outside.

On my desktop inside the firewall, I perform this to establish a tunnel to the client for myself:

autossh -M 0 -f user@xxxxxxxxxxxxxx -L 2222:localhost:2222 -nN

This establishes a tunnel from my localhost to the server localhost. This tunnel will remain connected as long as both systems are up, or until I manually take it down by killing autossh.

Now to connect to the remote system, I simply do:
ssh -p 2222 localhost
or
scp -P 2222 myfile localhost:/wherever

works like a champ. The key to automating it all is to share common ssh keys. You can certainly do it manually without them.

Good Luck!


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux