Difference between revisions of "Ssh reverse tunnel"
From Teknologisk videncenter
m |
m (→local machine) |
||
| (4 intermediate revisions by the same user not shown) | |||
| Line 2: | Line 2: | ||
=Remote server= | =Remote server= | ||
| − | To allow login without password create public/private rsa key pair and | + | To allow login without password create public/private rsa key pair on the client and copy the private key to the .ssh/authorized_keys file an set mod to 600 |
<source lang=bash> | <source lang=bash> | ||
ssh -o TCPKeepAlive=yes -R 9000:localhost:22 heth@93.166.84.21 | ssh -o TCPKeepAlive=yes -R 9000:localhost:22 heth@93.166.84.21 | ||
| Line 28: | Line 28: | ||
ExecStart=/bin/bash /home/steve/bin/reversessh.sh | ExecStart=/bin/bash /home/steve/bin/reversessh.sh | ||
Type=simple | Type=simple | ||
| − | User= | + | User=steve |
| − | Group= | + | Group=steve |
Restart=on-failure | Restart=on-failure | ||
RestartSec=5 | RestartSec=5 | ||
| Line 38: | Line 38: | ||
RequiredBy=network.target | RequiredBy=network.target | ||
</source> | </source> | ||
| + | =local machine= | ||
| + | On local machine you want to ssh from create ~/bin/sshremote with the following and make it executeable. | ||
| + | Use it as for example: '''sshremote mars chris''' | ||
| + | <source lang=bash> | ||
| + | #!/bin/bash | ||
| + | |||
| + | declare -A hosts | ||
| + | |||
| + | # machinename in /etc/hosts maps to portnumber | ||
| + | hosts["mars"]=9999 | ||
| + | hosts["mbus1"]=9998 | ||
| + | hosts["mars2"]=9997 | ||
| + | hosts["dhdc"]=9996 | ||
| + | |||
| + | host=$1 | ||
| + | user=$2 | ||
| + | ip="localhost" | ||
| + | |||
| + | ssh -p ${hosts[${host}]} ${user}@${ip} | ||
| + | </source> | ||
| + | |||
=Links= | =Links= | ||
*https://qbee.io/misc/reverse-ssh-tunneling-the-ultimate-guide/ | *https://qbee.io/misc/reverse-ssh-tunneling-the-ultimate-guide/ | ||
[[Category:Linux]] | [[Category:Linux]] | ||
Latest revision as of 07:11, 23 January 2026
To ssh to a Linux server behind a firewall that doesn't allow incoming connections, a reverse ssh tunnel can be created from the server to a known client host. The client host should have a static IP address or a DNS hostname.
Remote server
To allow login without password create public/private rsa key pair on the client and copy the private key to the .ssh/authorized_keys file an set mod to 600
ssh -o TCPKeepAlive=yes -R 9000:localhost:22 heth@93.166.84.21
Establishing the reversed tunnel from a scriptfile. You probably needs to install autossh.
#!/usr/bin/bash
# See: https://medium.com/@souri.rv/autossh-for-keeping-ssh-tunnels-alive-5c14207c6ba9
REMOTE_HOST="222.2.2.2"
REMOTE_PORT="9000"
REMOTE_USER="steve"
autossh -M 0 -gNC $1 -o "ExitOnForwardFailure=yes" -o "ServerAliveInterval=10" -o "ServerAliveCountMax=3" -R ${REMOTE_PORT}:localhost:22 ${REMOTE_USER}@${REMOTE_USER}
/etc/systemd/system/reversessh.service
[Unit]
Description=Reverse SSH tunnel
After=network.target
StartLimitIntervalSec=60
StartLimitBurst=12
[Service]
ExecStart=/bin/bash /home/steve/bin/reversessh.sh
Type=simple
User=steve
Group=steve
Restart=on-failure
RestartSec=5
[Install]
WantedBy=default.target
RequiredBy=network.target
local machine
On local machine you want to ssh from create ~/bin/sshremote with the following and make it executeable. Use it as for example: sshremote mars chris
#!/bin/bash
declare -A hosts
# machinename in /etc/hosts maps to portnumber
hosts["mars"]=9999
hosts["mbus1"]=9998
hosts["mars2"]=9997
hosts["dhdc"]=9996
host=$1
user=$2
ip="localhost"
ssh -p ${hosts[${host}]} ${user}@${ip}