[opensuse] Has anyone ever used the autossh daemon?
All, I've struggled to setup autossh as daemon and just got it working. I hope it is reliable because I'm about to drive away and won't be back for a while. If anyone can comment on it's reliability, I'd appreciate feedback Now that I have port 22 (ssh) working, I haven't yet figured out the syntax for port 80 so any help on my second line below would be great. Also, anything else I should do to make this connection more robust? (I hope I have the monitoring port below set right?) === Details for myself or others that want to do this: autossh is designed to let you setup a reverse tunnel. That way I can have a machine behind a NAT firewall expose ssh by tunneling it through a server on the internet. Step one: Get this to work as the user you will log into the public server as: ssh user@www.intelligentavatar.net Then copy the ssh keyfile to /root/id_rsa_user (there may be a better way to do that) chown root.root /root/id_rsa_user chmod 600 /root/id_rsa_user Get this to work as root ssh -i /root/id_rsa_user user@www.intelligentavatar.net # replace user with the user name you setup on the well-known server and of course replace the server name. # make sure you accept the cert so that the above works without user interaction Then enable autossh as daemon. (I used yast service level editor to do that.) Finally edit /etc/sysconfig/autossh to have =========== ## Type: string ## Default: 0 ## Format: <port>[:echo_port] # # The base monitoring port to use, or alternatively, the monitoring # port and the echo service port to use. Setting 0 will turn the # monitoring off, and autossh will only restart ssh on ssh exit. AUTOSSH_PORT="22" ## Type: integer ## Default: 1 # # Number of autossh instances to spawn on start. AUTOSSH_SPAWNS="2" ## Type: string ## Default: user@example.com -p 22 -ynNT -R 30000:localhost:22 -o ExitOnForwardFailure=yes -o ServerAliveInterval=60 -o ServerAliveCountMax=3 # # Options to be passed to ssh # All options except for the first must end with "_<number>". Only the # options upto "_$(($AUTOSSH_SPAWNS-1))" will be started. AUTOSSH_OPTIONS="user@www.intelligentavatar.net -i /root/id_rsa_user -p 22 -ynNT -R 30000:localhost:22 -o ExitOnForwardFailure=yes -o ServerAliveInterval=60 -o ServerAliveCountMax=3" AUTOSSH_OPTIONS_1="user@www.intelligentavatar.net -i /root/id_rsa_user -p 22 -ynNT -R 8888:localhost:80 -o ExitOnForwardFailure=yes -o ServerAliveInterval=60 -o ServerAliveCountMax=3" =========== Again, the line for port 80 is not yet right. I'm not sure what is wrong with the above, but I'm tired of working on this for a while. fyi: the endpoint for this is just a weatherstation, so don't waste your time trying to hack it. Success will get you to nothing of value on a network with nothing of value. Also I changed the port away from 30000 (the default) Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Greg Freemyer wrote:
=== Details for myself or others that want to do this:
autossh is designed to let you setup a reverse tunnel. That way I can have a machine behind a NAT firewall expose ssh by tunneling it through a server on the internet.
You've probably thought of this already, but you could also achieve this with a simple DNAT rule on the firewall. -- Per Jessen, Zürich (10.0°C) http://www.dns24.ch/ - free DNS hosting, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen
Greg Freemyer wrote:
=== Details for myself or others that want to do this:
autossh is designed to let you setup a reverse tunnel. That way I can have a machine behind a NAT firewall expose ssh by tunneling it through a server on the internet.
You've probably thought of this already, but you could also achieve this with a simple DNAT rule on the firewall.
This is at my parents 2nd house in the mountains. The ISP seems to firewall off the inbound ports altogether so autossh seems like a better approach given that I do have a place to tunnel thru. I disabled the monitor feature until I figure out what it does and what port to set it too. I haven't found any documentation about /etc/sysconfig/autossh except what's in the file. I feel like I'm the first user :( I may pull down the source and see if there is anything in the tarball that explains it. Greg -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Greg Freemyer wrote:
Per Jessen
wrote: Greg Freemyer wrote:
=== Details for myself or others that want to do this:
autossh is designed to let you setup a reverse tunnel. That way I can have a machine behind a NAT firewall expose ssh by tunneling it through a server on the internet.
You've probably thought of this already, but you could also achieve thiswith a simple DNAT rule on the firewall.
This is at my parents 2nd house in the mountains. The ISP seems to firewall off the inbound ports altogether so autossh seems like a better approach given that I do have a place to tunnel thru.
Okay, I see. ISTR there is a way to do this with 'plain' ssh? Something about the -R option? Try googling "ssh tunnel reverse".
I haven't found any documentation about /etc/sysconfig/autossh except what's in the file. I feel like I'm the first user :(
I've never heard of it. -- Per Jessen, Zürich (12.9°C) http://www.dns24.ch/ - free DNS hosting, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, Jun 3, 2013 at 10:51 AM, Per Jessen
Greg Freemyer wrote:
Per Jessen
wrote: Greg Freemyer wrote:
=== Details for myself or others that want to do this:
autossh is designed to let you setup a reverse tunnel. That way I can have a machine behind a NAT firewall expose ssh by tunneling it through a server on the internet.
You've probably thought of this already, but you could also achieve thiswith a simple DNAT rule on the firewall.
This is at my parents 2nd house in the mountains. The ISP seems to firewall off the inbound ports altogether so autossh seems like a better approach given that I do have a place to tunnel thru.
Okay, I see. ISTR there is a way to do this with 'plain' ssh? Something about the -R option? Try googling "ssh tunnel reverse".
You are correct, but ssh by itself is not reliable. If it dies and your box is remote, you have to go make a site visit. No fun if it is a 2-hour drive. Being a top notch admin like you are, you might write a monitor application to invoke ssh with the -R option and make sure it stayed up. Being a man who likes simple names, you might call the wrapper autossh. And then because you are a really competent guy, you'd write a init script to invoke autossh during boot and make that init script controllable via the YaST System Level editor. All the above is what is in the autossh package. My trouble is that autossh itself is lightly documented and the config file for the init script seems to have no external documentation at all and I can't find evidence of anyone using it via google searches. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Greg Freemyer wrote:
On Mon, Jun 3, 2013 at 10:51 AM, Per Jessen
wrote: Greg Freemyer wrote:
Per Jessen
wrote: Greg Freemyer wrote:
=== Details for myself or others that want to do this:
autossh is designed to let you setup a reverse tunnel. That way I can have a machine behind a NAT firewall expose ssh by tunneling it through a server on the internet.
You've probably thought of this already, but you could also achieve thiswith a simple DNAT rule on the firewall.
This is at my parents 2nd house in the mountains. The ISP seems to firewall off the inbound ports altogether so autossh seems like a better approach given that I do have a place to tunnel thru.
Okay, I see. ISTR there is a way to do this with 'plain' ssh? Something about the -R option? Try googling "ssh tunnel reverse".
You are correct, but ssh by itself is not reliable. If it dies and your box is remote, you have to go make a site visit. No fun if it is a 2-hour drive.
Being a top notch admin like you are, you might write a monitor application to invoke ssh with the -R option and make sure it stayed up. Being a man who likes simple names, you might call the wrapper autossh.
I would personally be tempted to start with something like this: while true do mail-to-myself "ssh had to be restarted" ssh <whatever options you need> sleep 60 done If ssh or the network then turns out to be truly unreliable, it sounds like a job for systemd (to monitor it).
And then because you are a really competent guy, you'd write a init script to invoke autossh during boot and make that init script controllable via the YaST System Level editor.
All the above is what is in the autossh package. My trouble is that autossh itself is lightly documented and the config file for the init script seems to have no external documentation at all and I can't find evidence of anyone using it via google searches.
Got it - I didn't look closer at autossh, I wasn't aware it is about keeping ssh up. I googled it just now, and did find references to people using it: http://dennis-wisnia.de/wordpress/2011/05/ein-ssh-tunnel-mit-autossh/ http://www.debianadmin.com/autossh-automatically-restart-ssh-sessions-and-tu... http://linuxaria.com/howto/permanent-ssh-tunnels-with-autossh?lang=en http://www.debianroot.de/server/mysql-ssh-tunnel-mit-autossh-1165.html Maybe they'll be able to get you going. -- Per Jessen, Zürich (10.4°C) http://www.dns24.ch/ - free DNS hosting, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, Jun 3, 2013 at 12:21 PM, Per Jessen
I would personally be tempted to start with something like this:
while true do mail-to-myself "ssh had to be restarted" ssh <whatever options you need> sleep 60 done
If ssh or the network then turns out to be truly unreliable, it sounds like a job for systemd (to monitor it).
I went thru that dance a few years ago. ssh tunnels are truly not stable in the timeframe of weeks / months. autossh is a great tool for keeping the tunnels alive. The last time I did this I put an entry in crontab to kickoff autossh on boot. It worked well enough, but when I noticed autossh had it's own init script, I decided to go for it. I imagine it will be one of the last things moved to systemd just because there are few if any users (besides my attempt here). Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, Jun 3, 2013 at 12:32 PM, Greg Freemyer
I imagine it will be one of the last things moved to systemd just because there are few if any users (besides my attempt here).
I have to retract that. Someone has been pushing autossh updates into factory. This is the latest one: https://build.opensuse.org/package/rdiff?linkrev=base&package=autossh&project=openSUSE%3AFactory&rev=5 I think I got lucky and installed autossh from the security repo, so I already have those updates, but my assumption that it was an abandoned package was wrong. I don't see anything about systemd in the changelog. I don't know anything about systemd yet, so I won't attempt that conversion, but this is probably a simple one to handle. fyi: security seems like a strange repo to be the devel repo, but I'm not complaining. That is the only repo I have maintainer rights in. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 03/06/2013 21:22, Greg Freemyer a écrit :
On Mon, Jun 3, 2013 at 12:32 PM, Greg Freemyer
wrote: I imagine it will be one of the last things moved to systemd just because there are few if any users (besides my attempt here).
I have to retract that.
Someone has been pushing autossh updates into factory. This is the latest one:
I think I got lucky and installed autossh from the security repo, so I already have those updates, but my assumption that it was an abandoned package was wrong. I don't see anything about systemd in the changelog. I don't know anything about systemd yet, so I won't attempt that conversion, but this is probably a simple one to handle.
fyi: security seems like a strange repo to be the devel repo, but I'm not complaining. That is the only repo I have maintainer rights in.
Greg
If you want something more robust, use OpenVPN. Here is my config file : remote <IP> dev tun ifconfig <IP> <IP> secret "/etc/openvpn/cle.key" comp-lzo keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp port 1234 float Don't forget to name your config file in *.conf so that the openvpn service find it. Dsant -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Jun 11, 2013 at 9:59 AM, Dsant
Le 03/06/2013 21:22, Greg Freemyer a écrit :
On Mon, Jun 3, 2013 at 12:32 PM, Greg Freemyer
wrote: I imagine it will be one of the last things moved to systemd just because there are few if any users (besides my attempt here).
I have to retract that.
Someone has been pushing autossh updates into factory. This is the latest one:
I think I got lucky and installed autossh from the security repo, so I already have those updates, but my assumption that it was an abandoned package was wrong. I don't see anything about systemd in the changelog. I don't know anything about systemd yet, so I won't attempt that conversion, but this is probably a simple one to handle.
fyi: security seems like a strange repo to be the devel repo, but I'm not complaining. That is the only repo I have maintainer rights in.
Greg
If you want something more robust, use OpenVPN. Here is my config file :
remote <IP> dev tun ifconfig <IP> <IP> secret "/etc/openvpn/cle.key" comp-lzo keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp port 1234 float
Don't forget to name your config file in *.conf so that the openvpn service find it.
Dsant
I'll keep it in mind. For now, autossh has kept my ssh tunnel up for a full week with no issues. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (3)
-
Dsant
-
Greg Freemyer
-
Per Jessen