Setting up a permanent ssh tunnel using autossh

Since the original website is offline, I’m hosting the content here now
—>
Setting up a permanent SSH tunnel between 2 servers

Greeting everyone,

Today, I’ll show you how to setup an easy and permanent SSH tunnel that auto reconnect in case of failure between two linux servers.

It may happen (for your own personal reason) that you need to connect 2 remote server together, and this, with a minimum of security (Not plain text but SSL communications)

I’ve been looking on ssh/sshd for the options that allows you to setup a TCP tunnel between 2 remote hosts.

The command for doing it is pretty easy:

[email protected]:~$ ssh -L 11223:localhost:23344 [email protected]

This command will connect as “pierre” on “remote-server.com”, opening a local TCP port from my localhost:11223 to the remote’s server localhost:23344 (See man ssh to get more explanations)

NOTE: Using port < 1024 will need root privileges The 1st problem, every time I hit this, it ask me for a password! Well, SSH as the solution for it 😀 This is call “key exchange”, the idea is to create a personal key to connect on the remote server Configure ssh auto-login: Create both of your public and private key by running: [email protected]:~$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/pierre/.ssh/id_rsa): Created directory '/home/pierre/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/pierre/.ssh/id_rsa. Your public key has been saved in /home/pierre/.ssh/id_rsa.pub. The key fingerprint is: ed:3e:d7:62:48:7e:2b:f1:d5:94:e3:13:ee:7a:fa:aa [email protected] The key's randomart image is: +--[ RSA 2048]----+ Good, now you should 2 files, one is id_rsa.pub and it contain your public key, the other one is id_rsa and it has the private key to encrypt data to the remote server. Public key should look like this: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxGc51/0BL51jV5B2EFwE4vqcvvB0PKCErsRAzzWluyNZ1/J1V3HbtwYRf9H38LJgeNYWPgBVe9BGAPTklj/MJZwtWwvhHFP/V+IaHLNbr7pW/wJdIEyRAU4i8xZNkyrlhBIPc+0b1j41PWuh3B5JorxyueP1nlcWn0xm6q5BdRiiyAKc/n1pbnTNQ1MP5YbEdaAI3K3eao5JXm5m4KcR30F+KGRg6u5Sla9qWReYgK9IF7FRL9tzSOzfoLLdLUCIBEQBpHMata3GWXJwGMRJMJp4Iw2tvb6PGNvc/MlrasJNqUef8u/TLHKYrV/0F5Z3T5HO3ZyzvxTHXsahnagP8w== [email protected] To enable auto ssh login without being prompt for a password, create the ./~ssh/authorized_keys2 and copy the public key into it. Run ssh -L again and tadaa, you are logged without password 🙂 Final step, what happen when links goes down? Eg, when the server reboot or loose the connections? Well, it disconnect. I’ve been searching for many solutions to detect disconnection and reconnect link automatically, and probably the most light and easy software for making that is call: autossh. Unfortunately, autossh doesn’t come precompiled with a Debian package. So I had to download and compile it from source. Installation: Wget http://www.harding.motd.ca/autossh/autossh-1.4b.tgz Tar zxvf ./configure Make And as root, make install Normally, there should be a binary in “/usr/local/bin/autossh” Finally, my little script #!/bin/sh # # Example script to start up tunnel with autossh. # # This script will tunnel 12345 from the remote host # to 12345 on the local host. # ID=login_here HOST=destination.host.com if [ "X$SSH_AUTH_SOCK" = "X" ]; then eval `ssh-agent -s` ssh-add $HOME/.ssh/id_rsa fi AUTOSSH_POLL=600 AUTOSSH_PORT=20000 AUTOSSH_GATETIME=30 AUTOSSH_LOGFILE=$HOST.log AUTOSSH_DEBUG=yes AUTOSSH_PATH=/usr/bin/ssh export AUTOSSH_POLL AUTOSSH_LOGFILE AUTOSSH_DEBUG AUTOSSH_PATH AUTOSSH_GATETIME AUTOSSH_PORT autossh -2 -fN -M 20000 -L 12345:localhost:12345 ${ID}@${HOST} Enjoy 🙂 http://pierre.linux.edu/2010/05/setting-up-a-permanent-ssh-tunnel-between-2-servers/

#!/bin/sh

#
# Example script to start up tunnel with autossh.
#
# This script will tunnel 12345 from the remote host
# to 12345 on the local host.
#

ID=root
HOST=host.vpls.net

#if [ "X$SSH_AUTH_SOCK" = "X" ]; then
#eval `ssh-agent -s`
#ssh-add $HOME/.ssh/id_rsa
#fi

AUTOSSH_POLL=600
AUTOSSH_PORT=20000
AUTOSSH_GATETIME=30
AUTOSSH_LOGFILE=$HOST.log
AUTOSSH_DEBUG=yes
AUTOSSH_PATH=/usr/bin/ssh
export AUTOSSH_POLL AUTOSSH_LOGFILE AUTOSSH_DEBUG AUTOSSH_PATH AUTOSSH_GATETIME AUTOSSH_PORT
autossh -2 -f -N -T -p19500 -M20000 -R 19501:localhost:19501 ${ID}@${HOST}

-f tells ssh to background itself after it authenticates, so you don’t have to sit around running something on the remote server for the tunnel to remain alive.

-N says that you want an SSH connection, but you don’t actually want to run any remote commands. If all you’re creating is a tunnel, then including this option saves resources.

-T disables pseudo-tty allocation, which is appropriate because you’re not trying to create an interactive shell.

Leave a Reply