Reverse ssh tunnels: Difference between revisions

From dtype.org
(Created page with "== /etc/systemd/system/j1.service == <nowiki>[Unit] Description=Service to maintain an ssh reverse tunnel Wants=network-online.target After=network-online.target StartLimitIn...")
 
 
(4 intermediate revisions by the same user not shown)
Line 1: Line 1:
== /etc/systemd/system/j1.service ==
== /etc/systemd/system/j1.service ==


<nowiki>[Unit]
<nowiki>[Unit]
Description=Service to maintain an ssh reverse tunnel
Description=Service to maintain an ssh reverse tunnel
Wants=network-online.target
Wants=network-online.target
Line 10: Line 10:
Type=simple
Type=simple
Environment="J1HOST=c1"
Environment="J1HOST=c1"
Environment="J1RAND=0"
ExecStartPre=/usr/bin/bash -c "/usr/bin/systemctl set-environment J1RAND=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 20)"
ExecStart=
ExecStart=/usr/bin/ssh -qNn \
ExecStart=/usr/bin/ssh -qNn \
   -o ServerAliveInterval=30 \
   -o ServerAliveInterval=30 \
Line 19: Line 18:
   -o UserKnownHostsFile=/dev/null \
   -o UserKnownHostsFile=/dev/null \
   -o StreamLocalBindUnlink=yes \
   -o StreamLocalBindUnlink=yes \
  -o BatchMode=yes \
   -i /root/.ssh/id_rsa \
   -i /root/.ssh/id_rsa \
   -R /home/r/socks/${J1HOST}.${J1RAND}.sock:localhost:22 \
   -R /home/r/socks/${J1HOST}.${J1RAND}.sock:localhost:22 \
Line 27: Line 27:
[Install]
[Install]
WantedBy=multi-user.target</nowiki>
WantedBy=multi-user.target</nowiki>
== authorized_keys (on jump server) ==
<nowiki>command="/bin/false",no-agent-forwarding,no-X11-forwarding,permitopen="255.255.255.255:9" ssh-rsa AAAA...</nowiki>
== jump.sh (from initiating machine) ==
<nowiki># for now this just grabs the first thing of this name, even if there are multiple RANDS
SOCKFILE=$(ssh root@j1.alt.org find /home/r/socks -name "${1}.*" | head -n 1)
ssh -o StrictHostKeyChecking=no \
  -o UserKnownHostsFile=/dev/null \
  -o "ProxyCommand ssh root@j1.alt.org socat - UNIX-CLIENT:${SOCKFILE}" root@junkvariable</nowiki>

Latest revision as of 20:40, 1 August 2021

/etc/systemd/system/j1.service

[Unit]
Description=Service to maintain an ssh reverse tunnel
Wants=network-online.target
After=network-online.target
StartLimitIntervalSec=0

[Service]
Type=simple
Environment="J1HOST=c1"
ExecStartPre=/usr/bin/bash -c "/usr/bin/systemctl set-environment J1RAND=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 20)"
ExecStart=/usr/bin/ssh -qNn \
  -o ServerAliveInterval=30 \
  -o ServerAliveCountMax=3 \
  -o ExitOnForwardFailure=yes \
  -o StrictHostKeyChecking=no \
  -o UserKnownHostsFile=/dev/null \
  -o StreamLocalBindUnlink=yes \
  -o BatchMode=yes \
  -i /root/.ssh/id_rsa \
  -R /home/r/socks/${J1HOST}.${J1RAND}.sock:localhost:22 \
  r@j1.alt.org
Restart=always
RestartSec=60

[Install]
WantedBy=multi-user.target

authorized_keys (on jump server)

command="/bin/false",no-agent-forwarding,no-X11-forwarding,permitopen="255.255.255.255:9" ssh-rsa AAAA...

jump.sh (from initiating machine)

# for now this just grabs the first thing of this name, even if there are multiple RANDS
SOCKFILE=$(ssh root@j1.alt.org find /home/r/socks -name "${1}.*" | head -n 1)
ssh -o StrictHostKeyChecking=no \
  -o UserKnownHostsFile=/dev/null \
  -o "ProxyCommand ssh root@j1.alt.org socat - UNIX-CLIENT:${SOCKFILE}" root@junkvariable