This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
public:it:ssh [2021/11/19 16:13] – [SSH Certificates] phil | public:it:ssh [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ===== SSH Certificates ====== | ||
- | |||
- | * https:// | ||
- | * A great guide on setting up host and user certificates. | ||
- | * [[https:// | ||
- | ===== AutoSSH ===== | ||
- | https:// | ||
- | |||
- | Now that you are able to create various forward or reverse SSH tunnels with lots of options and even simplify your live with `~/ | ||
- | |||
- | I know there are plenty of scripts out there which try to do that somehow. Some scripts use a while loop, others encourage you to run a remote command (such as tail) to make sure you don’t run into timeout and various others. But actually, you don’t want to re-invent the wheel and stick to bullet-proof already existing solutions. So the game-changer here is [[http:// | ||
- | |||
- | ==== TL;DR ==== | ||
- | < | ||
- | autossh -M 0 -o " | ||
- | </ | ||
- | or fully configured (via `~/ | ||
- | |||
- | < | ||
- | |||
- | ==== What is AutoSSH ==== | ||
- | http:// | ||
- | |||
- | > Autossh is a program to start a copy of ssh and monitor it, restarting it as necessary should it die or stop passing traffic. | ||
- | |||
- | ==== Basic Usage ==== | ||
- | < | ||
- | |||
- | gnore `-M` for now. `-V` simply displays the version and exits. The important part to remember is that `-f` (run in background) is not passed to the ssh command, but handled by `autossh` itself. Apart from that you can then use it just like you would use ssh to create any forward or reverse tunnels. | ||
- | |||
- | Let’s take the basic example from part one of this article series (forwarding a remote MySQL port to my local machine on port 5000): | ||
- | |||
- | < | ||
- | |||
- | This can simply be turned into an autossh command: | ||
- | |||
- | < | ||
- | |||
- | This is basically it. Not much magic here. | ||
- | |||
- | Note 1: Before you use `autossh`, make sure the connection works as expected by trying it with ssh first. | ||
- | Note 2: Make sure you use public/ | ||
- | |||
- | |||
- | ==== AutoSSH and -M (monitoring port) ==== | ||
- | With `-M` AutoSSH will continuously send data back and forth through the pair of monitoring ports in order to keep track of an established connection. If no data is going through anymore, it will restart the connection. The specified monitoring and the port directly above (+1) must be free. The first one is used to send data and the one above to receive data on. | ||
- | |||
- | Unfortunately, | ||
- | |||
- | `ServerAliveInterval` and `ServerAliveCountMax` – they cause the SSH client to send traffic through the encrypted link to the server. This will keep the connection alive when there is no other activity and also when it does not receive any alive data, it will tell AutoSSH that the connection is broken and AutoSSH will then restart the connection. | ||
- | |||
- | The AutoSSH man page also recommends the second solution: | ||
- | |||
- | > -M [: | ||
- | > … | ||
- | > In many ways this [ServerAliveInterval and ServerAliveCountMax options] may be a better solution than the monitoring port. | ||
- | |||
- | < | ||
- | |||
- | Additionally you will also have to specify values for ServerAliveInterval and ServerAliveCountMax | ||
- | |||
- | < | ||
- | |||
- | So now the complete tunnel command will look like this: | ||
- | < | ||
- | |||
- | ^Option^Description^ | ||
- | |ServerAliveInterval|ServerAliveInterval: | ||
- | |ServerAliveCountMax|Sets the number of server alive messages which may be sent without ssh receiving any messages back from the server. If this threshold is reached while server alive messages are being sent, ssh will disconnect from the server, terminating the session. Default: 3| | ||
- | |||
- | ==== AutoSSH and ~/ | ||
- | In the previous article we were able to simplify the tunnel command via `~/ | ||
- | |||
- | This was our very customized configuration for ssh tunnels which had custom ports and custom rsa keys: | ||
- | |||
- | < | ||
- | $ vim ~/ | ||
- | Host cli-mysql-tunnel | ||
- | HostName | ||
- | User cytopia | ||
- | Port 1022 | ||
- | IdentityFile | ||
- | LocalForward | ||
- | </ | ||
- | We can also add the `ServerAliveInterval` and `ServerAliveCountMax` options to that file in order to make things even easier. | ||
- | |||
- | < | ||
- | $ vim ~/ | ||
- | Host cli-mysql-tunnel | ||
- | HostName | ||
- | User cytopia | ||
- | Port 1022 | ||
- | IdentityFile | ||
- | LocalForward | ||
- | ServerAliveInterval 30 | ||
- | ServerAliveCountMax 3 | ||
- | </ | ||
- | |||
- | If you recall all the ssh options we had used already, we can now simply start the autossh tunnel like so: | ||
- | |||
- | < | ||
- | |||
- | ==== AutoSSH environment variables ==== | ||
- | AutoSSH can also be controlled via a couple of environmental variables. Those are useful if you want to run AutoSSH unattended via cron, using shell scripts or during boot time with the help of systemd services. The most used variable is probably AUTOSSH_GATETIME: | ||
- | |||
- | > AUTOSSH_GATETIME | ||
- | > How long ssh must be up before we consider it a successful connection. Default is 30 seconds. If set to 0, then this behaviour is disabled, and as well, autossh will retry even on failure of first attempt to run ssh. | ||
- | |||
- | Setting `AUTOSSH_GATETIME` to 0 is most useful when running AutoSSH at boot time. | ||
- | |||
- | All other environmental variables including the once responsible for logging options can be found in the AutoSSH Readme. | ||
- | |||
- | |||
- | ==== AutoSSH during boot with systemd ==== | ||
- | If you want a permanent SSH tunnel already created during boot time, you will (nowadays) have to create a systemd service and enable it. There is however an important thing to note about systemd and AutoSSH: `-f` (background usage) already implies `AUTOSSH_GATETIME=0`, | ||
- | |||
- | > http:// | ||
- | > […] running programs in the background using “& | ||
- | |||
- | So in the case of systemd we need to make use of `AUTOSSH_GATETIME`. Let’s look at a very basic service: | ||
- | |||
- | < | ||
- | $ vim / | ||
- | [Unit] | ||
- | Description=AutoSSH tunnel service everythingcli MySQL on local port 5000 | ||
- | After=network.target | ||
- | |||
- | [Service] | ||
- | Environment=" | ||
- | ExecStart=/ | ||
- | |||
- | [Install] | ||
- | WantedBy=multi-user.target | ||
- | </ | ||
- | |||
- | < | ||
- | systemctl daemon-reload | ||
- | systemctl start autossh-mysql-tunnel.service | ||
- | systemctl enable autossh-mysql-tunnel.service | ||
- | </ | ||