SSH Reverse Connection and AUTOSSH

Transferred from: http://www.cnblogs.com/eshizhan/archive/2012/07/16/2592902.html

0. Contact Linux I am afraid to be familiar with SSH, but also scp,sftp a variety of convenient features, the general use of ip:port (if not the default 22), but some of the situation is very special, is to connect an intranet host (such as the company intranet, Of course you can't do port Forwarding unless you want to break a hole in the company's firewall. A little understanding of the network of children's shoes will understand that the Internet to actively connect an intranet is not possible, the general solution is divided into two, one is Port Forwarding, one port of the intranet host open out of the firewall, equivalent to two of external network host communications The other is that the intranet host actively connects to the external host, also known as the reverse connection (Reverse Connection), so that the NAT routing/firewall will establish a mapping between the intranet host and the external host, and can naturally communicate with each other. However, this mapping is automatically maintained by the NAT route, will not persist, if the connection is broken or network instability will lead to communication failure, then the intranet host needs to actively connect to the external host, establish a connection.

1. The introduction of the theory is finished, the following practical operation:

A To control B

A host: External network, IP:123.123.123.123,SSHD port: 2221

B Host: Intranet, sshd Port: 2223

Whether it is external host a, or intranet Host B all need to run SSH daemon

1.1. First Execute on B

$ SSH-NFR 1234:localhost:2223 [email protected]-p2221

This means that the 1234 port of host A and the 2223 port of Host B are bound to be equivalent to the remote port mapping (Forwarding).

Each time you need to enter a host User1 login password, the solution will be referred to later.

1.2. SSHD will listen local 1234 port on host a

$ ss-ant
State      recv-q send-q        Local address:port          Peer address:portlisten     0               127.0.0.1:1234                     * :*

1.3. Connect to a host's 1234 port as usual to control the intranet B host.

$ ssh localhost-p1234

2. At the outset, this kind of reverse connection (Reverse Connection) is unstable, may be disconnected at any time, need to network Host B again to the extranet a connection, then need a "friend" to help you in the Intranet B host to execute this command. It is autossh.

Before this, but also to solve the previous problem, that is, every time the intranet Host B connected to the external network host a need to enter a password, this problem ssh itself is to provide another way of authentication-through the key to authenticate the user identity, to achieve automatic login.

2.1. Production of public and private keys on the Intranet B host

$ ssh-keygen ... (Press Enter all the time, and finally generate the key under ~/.ssh/) $ ls ~/.ssh/id_rsa id_rsa.pub known_hosts

2.2. Replicate the Id_rsa.pub public key generated on Host B to the extranet a host and add the content to the ~/.ssh/authorized_keys

$ cat Id_rsa.pub >> ~/.ssh/authorized_keys

Test, the intranet B host connected to the external network a host, no longer enter the password authentication

Add: Today I know ssh-copy-id this command, the above operation has become simple

$ ssh-copy-id [email protected]

2.3. Another look at the use of Autossh

$ autossh-m 5678-NR 1234:localhost:2223 [email protected]-p2221

A-M 5678 parameter added to the previous command, which is responsible for monitoring the connection status via 5678 ports, automatically re-connects when there is a problem with the connection, and removes an-f parameter because the AUTOSSH itself runs in background.

3. The ultimate solution: When restart Intranet B host, who will automatically autossh it, join Daemon Bar

Execute in daemon mode, equivalent to root to execute autossh, SSH, then the. ssh/authorized_keys file under the normal user directory will not work. There are two ways to solve this, one is to specify the. SSH path with the autossh parameter, and the other is to execute daemon as a normal user, the second way.

/bin/su-c '/usr/bin/autossh-m 5678-nr 1234:localhost:2223 [email protected]-p2221 '-user1

AUTOSSH also has a number of parameters to set the re-connect interval and so on.

Put the above command into the following startup mode, according to their own system configuration:

Sysv:/etc/inid.d/autossh

Upstart:/etc/init/autossh.conf

SYSTEMD:/usr/lib/systemd/system/autossh.service

P.S.

1. Home is ADSL words, with DDNS, solve IP problems

2. Configurable lower port mappings for external networks with routing

3. Although there is a key and password protection, but also be careful to use

SSH Reverse Connection and AUTOSSH