In the old days when I ran my server from my basement I automatically had access to my home machines. This was useful for all sorts of things but mainly allowing me to monitor my Gentoo system while it re-built the world. However nowadays this is trickier, especially when I’m using my work provided pipe which goes through multiple NAT steps, not all of which I can control.
There is of course a solution available with OpenSSH and it’s powerful port forwarding capabilities. First I add a backchannel configuration to ~/.ssh/config:
Host backchannel User username HostName myserver.com RemoteForward localhost:10001 localhost:22 TCPKeepAlive no ServerAliveInterval 2
Now by simple typing ssh backchannel I’ve created a reverse tunnel that means I can ssh into my server on the public internet and login to my home machine by typing ssh -p 10000 username@localhost. As my public machine is also fairly locked down only people actually logged into my machine can use this port (in fact I can lock this down further with a –uid-owner iptables rule).
The one remaining problem is that occasionally the backchannel connection drops, most likely due to rogue RST packets from the ISP. This is solved by a some metaphorical duct tape:
while [ 1 ]; do ssh backchannel; done
The only thing I’d really like to improve is using a special key for the backchannel which would only be able to set up the tunnel rather than have full shell access to my server. Apparently it’s possible but my Google-fu has been weak in finding out the answer.
I think you can have ssh connect as a user with /bin/true as his shell. I’ve not tried it though. I would guess you’d need the -N option to ssh when the shell is /bin/true.
One very minor change to your shell loop to make it smaller:
while :; do ssh backchannel; done
That does work although I’m sure there is a way to restrict actions to specific keys rather than users. In a vaguely unrelated note I have users who have shell access to my machine despite all they need it for is uploading files to their websites via scp. It would be nice to be able to lock them down a bit more.
Thanks for the brevity tip
Set those users’ shell to scponly.
I’ve had the same problem with connections dropping in the past, but now I use autossh and do not have any problems. In fact, if I use autossh to create the link, it will automatically reconnect after suspending my laptop for the night.
Thanks for the pointer, I shall have a look at it.
May you can try autossh instead of the while loop.