Reverse ssh tunnels

From dtype.org

/etc/systemd/system/j1.service

[Unit]
Description=Service to maintain an ssh reverse tunnel
Wants=network-online.target
After=network-online.target
StartLimitIntervalSec=0

[Service]
Type=simple
Environment="J1HOST=c1"
ExecStartPre=/usr/bin/bash -c "/usr/bin/systemctl set-environment J1RAND=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 20)"
ExecStart=/usr/bin/ssh -qNn \
  -o ServerAliveInterval=30 \
  -o ServerAliveCountMax=3 \
  -o ExitOnForwardFailure=yes \
  -o StrictHostKeyChecking=no \
  -o UserKnownHostsFile=/dev/null \
  -o StreamLocalBindUnlink=yes \
  -o BatchMode=yes \
  -i /root/.ssh/id_rsa \
  -R /home/r/socks/${J1HOST}.${J1RAND}.sock:localhost:22 \
  [email protected]
Restart=always
RestartSec=60

[Install]
WantedBy=multi-user.target

authorized_keys (on jump server)

command="/bin/false",no-agent-forwarding,no-X11-forwarding,permitopen="255.255.255.255:9" ssh-rsa AAAA...

jump.sh (from initiating machine)

# for now this just grabs the first thing of this name, even if there are multiple RANDS
SOCKFILE=$(ssh [email protected] find /home/r/socks -name "${1}.*" | head -n 1)
ssh -o StrictHostKeyChecking=no \
  -o UserKnownHostsFile=/dev/null \
  -o "ProxyCommand ssh [email protected] socat - UNIX-CLIENT:${SOCKFILE}" root@junkvariable
Retrieved from "https://dtype.org/index.php?title=Reverse_ssh_tunnels&oldid=2313"