Difference between revisions of "Reverse ssh bridge"
From mn.fysikk.laglivlab
m (Small fix) |
(Added documentation to autossh) |
||
| Line 10: | Line 10: | ||
** Your username on the .1X machine is Xusername | ** Your username on the .1X machine is Xusername | ||
* Ideally SSH keys should be set between the .1X and login. So you should be able to access login from the .1X computer by typing ''ssh UiOusername@login.uio.no'' and get the connection without typing your password. | * Ideally SSH keys should be set between the .1X and login. So you should be able to access login from the .1X computer by typing ''ssh UiOusername@login.uio.no'' and get the connection without typing your password. | ||
| − | * On the .1X computer, a reverse SSH bridge can be started by the command: | + | * On the .1X computer, a reverse SSH bridge can be started by the command: <syntaxhighlight lang="bash"> ssh -v -N -R 2225:localhost:22 UiOusername@login.uio.no </syntaxhighlight> which will establish a reverse connection between port 22 of the .1X machine and port 2225 of the login:localhost. This script needs to keep running. |
* On login you should now be able to connect the .1X machine by using: ''ssh Xusername@localhost -p 2225''. | * On login you should now be able to connect the .1X machine by using: ''ssh Xusername@localhost -p 2225''. | ||
* You can also now access the .1X machine from your computer by establishing a proxy jump on login. This is more easily set by creating configurations in the .ssh/config file. Here is an example of configuration to access login directly by typing ''ssh login'' and fys-lab-flow by jumping on login: | * You can also now access the .1X machine from your computer by establishing a proxy jump on login. This is more easily set by creating configurations in the .ssh/config file. Here is an example of configuration to access login directly by typing ''ssh login'' and fys-lab-flow by jumping on login: | ||
| Line 30: | Line 30: | ||
#### END FILE | #### END FILE | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | == Setting a reverse SSH service == | ||
| + | |||
| + | The method above does work okay for testing but it has several drawbacks: | ||
| + | * it needs to be set up at every reboot the .1X machine | ||
| + | * it needs to be set up again if the connection between the .1X and login is lost for some reason. | ||
| + | |||
| + | These problems can be solved by leveraging on ''autossh'', which can check and restart an ssh connection, and services that can monitor it. | ||
| + | * Setup: | ||
| + | ** In addition to the settings from the previous item, you will also need sudo access to the .1X machine. | ||
| + | |||
| + | On the .1X machine, create a service file by running <syntaxhighlight lang="bash">sudo nano /etc/systemd/system/autossh-reverse-Xusername.service</syntaxhighlight> | ||
| + | and fill it with (adapt the usernames of course): | ||
| + | |||
| + | <syntaxhighlight lang="bash"> | ||
| + | [Unit] | ||
| + | Description=Keeps an SSH tunnel to login open | ||
| + | After=network-online.target | ||
| + | |||
| + | [Service] | ||
| + | User=Xusername # to be changed! | ||
| + | ExecStart=/usr/bin/autossh -M 0 -N -q -o "ServerAliveInterval 60" -o "ServerAliveCountMax 3" -N -R 2225:localhost:22 UiOusername@login.uio.no #to be changed | ||
| + | ExecStop=/usr/bin/killall -s KILL autossh | ||
| + | Restart=always | ||
| + | RestartSec=3 | ||
| + | |||
| + | [Install] | ||
| + | WantedBy=multi-user.target | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | Then this service can be started by: | ||
| + | |||
| + | <syntaxhighlight lang="bash"> | ||
| + | sudo systemctl daemon-reload | ||
| + | sudo systemctl enable autossh-reverse-Xusername.service | ||
| + | sudo systemctl start autossh-reverse-Xusername.service | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Revision as of 17:03, 15 November 2023
Usage of a reverse ssh bridge at UiO
At UiO, for security reasons, the computers which are not managed by the university should be placed on a separate network which is "deeper", it is called the 802.1X network, .1X in short. Some of our computational resources (fys-lab-flow, datacenter computer…) are on this network. As of now (Nov. 2023), it is no longer possible to ssh a computer on the .1X from a computer which is not on the .1X, which means that it is not possible to connect to fys-lab-flow from login. But, the inverse is possible: fys-lab-flow can connect to login. As an SSH connection works both ways once connected (the remote computer can send information to the connecting computer), a way to connect to computers on the .1X network is to keep an SSH connection from the computer on the .1X and login and use this connection on reverse so that this connection can be accessed from login.
Setting up a reverse ssh bridge
- Setup:
- Your username on login is UiOusername
- Your username on the .1X machine is Xusername
- Ideally SSH keys should be set between the .1X and login. So you should be able to access login from the .1X computer by typing ssh UiOusername@login.uio.no and get the connection without typing your password.
- On the .1X computer, a reverse SSH bridge can be started by the command: which will establish a reverse connection between port 22 of the .1X machine and port 2225 of the login:localhost. This script needs to keep running.
ssh -v -N -R 2225:localhost:22 UiOusername@login.uio.no
- On login you should now be able to connect the .1X machine by using: ssh Xusername@localhost -p 2225.
- You can also now access the .1X machine from your computer by establishing a proxy jump on login. This is more easily set by creating configurations in the .ssh/config file. Here is an example of configuration to access login directly by typing ssh login and fys-lab-flow by jumping on login:
#### FILE BEGIN: .ssh/config
# Settings for login
Host login
User UiOusername
HostName login1.uio.no
# Setting for fys-lab-flow
Host fys-lab-flow
User Xusername
ProxyJump UiOusername@login1.uio.no
HostName localhost
Port 2225
#### END FILE
Setting a reverse SSH service
The method above does work okay for testing but it has several drawbacks:
- it needs to be set up at every reboot the .1X machine
- it needs to be set up again if the connection between the .1X and login is lost for some reason.
These problems can be solved by leveraging on autossh, which can check and restart an ssh connection, and services that can monitor it.
- Setup:
- In addition to the settings from the previous item, you will also need sudo access to the .1X machine.
sudo nano /etc/systemd/system/autossh-reverse-Xusername.service
and fill it with (adapt the usernames of course):
[Unit]
Description=Keeps an SSH tunnel to login open
After=network-online.target
[Service]
User=Xusername # to be changed!
ExecStart=/usr/bin/autossh -M 0 -N -q -o "ServerAliveInterval 60" -o "ServerAliveCountMax 3" -N -R 2225:localhost:22 UiOusername@login.uio.no #to be changed
ExecStop=/usr/bin/killall -s KILL autossh
Restart=always
RestartSec=3
[Install]
WantedBy=multi-user.target
Then this service can be started by:
sudo systemctl daemon-reload
sudo systemctl enable autossh-reverse-Xusername.service
sudo systemctl start autossh-reverse-Xusername.service
