Phone Home

In the old days when I ran my server from my basement I automatically had access to my home machines. This was useful for all sorts of things but mainly allowing me to monitor my Gentoo system while it re-built the world. However nowadays this is trickier, especially when I'm using my work provided pipe which goes through multiple NAT steps, not all of which I can control.

There is of course a solution available with OpenSSH and it's powerful port forwarding capabilities. First I add a backchannel configuration to ~/.ssh/config:

Host backchannel
     User username
     HostName myserver.com
     RemoteForward localhost:10001 localhost:22
     TCPKeepAlive no
     ServerAliveInterval 2

Now by simple typing ssh backchannel I've created a reverse tunnel that means I can ssh into my server on the public internet and login to my home machine by typing ssh -p 10000 username@localhost. As my public machine is also fairly locked down only people actually logged into my machine can use this port (in fact I can lock this down further with a --uid-owner iptables rule).

The one remaining problem is that occasionally the backchannel connection drops, most likely due to rogue RST packets from the ISP. This is solved by a some metaphorical duct tape:

while [ 1 ]; do ssh backchannel; done

The only thing I'd really like to improve is using a special key for the backchannel which would only be able to set up the tunnel rather than have full shell access to my server. Apparently it's possible but my Google-fu has been weak in finding out the answer.