Pierre's Blog

Greeting everyone,

Today, I’ll show you how to setup an easy and permanent SSH tunnel that auto reconnect in case of failure between two linux servers.

It may happen (for your own personal reason) that you need to connect 2 remote server together, and this, with a minimum of security (Not plain text but SSL communications)

I’ve been looking on ssh/sshd for the options that allows you to setup a TCP tunnel between 2 remote hosts.

The command for doing it is pretty easy:

 pierre@linux.edu:~$ ssh -L 11223:localhost:23344 pierre@remote-server.com

This command will connect as “pierre” on “remote-server.com”, opening a local TCP port from my localhost:11223 to the remote’s server localhost:23344 (See man ssh to get more explanations)

NOTE: Using port < 1024 will need root privileges

The 1st problem, every time I hit this, it ask me for a password!

Well, SSH as the solution for it

This is call “key exchange”, the idea is to create a personal key to connect on the remote server

Configure ssh auto-login:

Create both of your public and private key by running:

pierre@linux.edu:~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/pierre/.ssh/id_rsa):
Created directory '/home/pierre/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/pierre/.ssh/id_rsa.
Your public key has been saved in /home/pierre/.ssh/id_rsa.pub.
The key fingerprint is:
ed:3e:d7:62:48:7e:2b:f1:d5:94:e3:13:ee:7a:fa:aa pierre@phpmyadmin.linux.edu
The key's randomart image is:
+--[ RSA 2048]----+

Good, now you should 2 files, one is id_rsa.pub and it contain your public key, the other one is id_rsa and it has the private key to encrypt data to the remote server.

Public key should look like this:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxGc51/0BL51jV5B2EFwE4vqcvvB0PKCErsRAzzWluyNZ1/J1V3HbtwYRf9H38LJgeNYWPgBVe9BGAPTklj/MJZwtWwvhHFP/V+IaHLNbr7pW/wJdIEyRAU4i8xZNkyrlhBIPc+0b1j41PWuh3B5JorxyueP1nlcWn0xm6q5BdRiiyAKc/n1pbnTNQ1MP5YbEdaAI3K3eao5JXm5m4KcR30F+KGRg6u5Sla9qWReYgK9IF7FRL9tzSOzfoLLdLUCIBEQBpHMata3GWXJwGMRJMJp4Iw2tvb6PGNvc/MlrasJNqUef8u/TLHKYrV/0F5Z3T5HO3ZyzvxTHXsahnagP8w== pierre@linux.edu

To enable auto ssh login without being prompt for a password, create the ./~ssh/authorized_keys2 and copy the public key into it.

Run ssh -L again and tadaa, you are logged without password

Final step, what happen when links goes down? Eg, when the server reboot or loose the connections?

Well, it disconnect.

I’ve been searching for many solutions to detect disconnection and reconnect link automatically, and probably the most light and easy software for making that is call: autossh.

Unfortunately, autossh doesn’t come precompiled with a Debian package. So I had to download and compile it from source.

Installation:

Wget http://www.harding.motd.ca/autossh/autossh-1.4b.tgz
Tar zxvf
./configure
Make

And as root, make install

Normally, there should be a binary in “/usr/local/bin/autossh”

Finally, my little script

#!/bin/sh

#
# Example script to start up tunnel with autossh.
#
# This script will tunnel 12345 from the remote host
# to 12345 on the local host.
#

ID=login_here
HOST=destination.host.com

if [ "X$SSH_AUTH_SOCK" = "X" ]; then
 eval `ssh-agent -s`
 ssh-add $HOME/.ssh/id_rsa
fi

AUTOSSH_POLL=600
AUTOSSH_PORT=20000
AUTOSSH_GATETIME=30
AUTOSSH_LOGFILE=$HOST.log
AUTOSSH_DEBUG=yes
AUTOSSH_PATH=/usr/bin/ssh
export AUTOSSH_POLL AUTOSSH_LOGFILE AUTOSSH_DEBUG AUTOSSH_PATH AUTOSSH_GATETIME AUTOSSH_PORT
autossh -2 -fN -M 20000 -L 12345:localhost:12345 ${ID}@${HOST}

Enjoy