booting system... standby
This is my simple blog. My intention is to ramble about things that amuse me. One day it might develop some structure, until then...
- 20 Feb 2014 » SSH Reverse Tunnel on Linux with systemd
- 07 Jan 2014 » Opt-out of Junk Snail Mail
- 30 Dec 2013 » Time Warner Cable aka RoadRunner TLS and SSL Mail Fail
- 14 Dec 2013 » Long Range Zip Musings
- 29 Sep 2013 » Using Native IPv6 via Comcast in San Francisco
- 26 Aug 2013 » Where have I been?
- 14 Jul 2013 » FSSH part 2: Tmux and Vim
- 07 Jul 2013 » Dying Gigabyte Motherboard
- 30 Jun 2013 » SSD Caching Using dm-cache Tutorial
- 20 Jun 2013 » SSH Reverse Tunnel on Mac OS X
- 17 Jun 2013 » Ubuntu 13.04 Bandwidth Shaping and Traffic Control using HTB
- 16 Jun 2013 » Leveraging Upstart for User Jobs
- 15 Jun 2013 » Remote ssh copy paste buffers using fssh
- 09 Jun 2013 » Use imapfilter to filter SPAM - part 2
- 02 Jun 2013 » Android CA Certificates
- 01 Jun 2013 » Parse eMMC Extended CSD (ECSD) Registers with Python
- 30 May 2013 » Manage LXCs with Docker
- 28 May 2013 » Ting
- 27 May 2013 » SSD let me down again
- 27 May 2013 » BitTorrent Sync
- 26 May 2013 » Use imapfilter to filter SPAM - part 1
- 13 May 2013 » GNOME Keyring Access for Python
- 12 May 2013 » Lua popen3() Implementation
- 12 May 2013 » Btrfs filesystem trips up
- 09 May 2013 » Linux SSD caching part 2
- 08 May 2013 » Epson WorkForce WF-3520 + Ubuntu 13.04
- 06 May 2013 » GNOME Keyring Daemon Breaks My GPG Encrypted Backups
- 05 May 2013 » Issue with my SSD + btrfs + discard
- 26 Apr 2013 » Issues with Ubuntu's UFW on OpenVZ VPS
- 20 Apr 2013 » Linux SSD caching
- 10 Apr 2013 » My Wi-Fi access point revisited
- 01 Jan 2013 » New job, moving cross country
- 06 Sep 2012 » Ubuntu 12.04 LTS Minimal GUI
- 05 Sep 2012 » The smoking gun
- 29 Aug 2012 » A story about a car...
- 07 Aug 2012 » Managing /etc with etckeeper
- 06 Aug 2012 » Hello World
SSH Reverse Tunnel on Linux with systemd
February 20, 2014
This aims to do all the same things my SSH Reverse Tunnel on Mac OS X blog, except this is for Linux systems running systemd. Systemd as a process monitor makes an awesome way to implement the phone home ssh service.
I'm going to skip most of the details and justification for doing this and instead defer interested readers to my previous blog entry.
Setup the Server
All the steps are the same, except nowadays I'd recommend generating a ECDSA key. By default my Arch Linux systems makes a ECDSA key with a 256-bit length. This is very similar to the ECDSA algorithm used for things like Bitcoin, but this uses the NIST P-256 curve (Bitcoin uses secp256k1).
client $ ssh-keygen -f ~/.ssh/servername-home-fwd -t ecdsa
As my previous blog instructs, copy the key over to the server and install it in the
Astute readers will note the shorter length of the ECDSA public key. Depsite the shorter length, a 256-bit ECDSA key is believed to be stronger then the standard RSA 2048 key ssh-keygen would use by default (see keylength.com for more details).
Setup the Client
Now to setup the client running systemd (Arch Linux in my case), is approximately the same, except that systemd is used instead of launchd on Mac OS X.
To do this, a system service file is necessary, as opposed to a systemd user service running in the user's session. The system file can be enabled by the system at boot. Typically system files run as root, so it's necessary to specify the user tag to avoid running the ssh client as root.
Create the systemd unit file @
[Unit] Description=Phone Home Reverse SSH Service ConditionPathExists=|/usr/bin [Service] User=localuser ExecStart=/usr/bin/ssh -NTC -o ServerAliveInterval=60 -o ExitOnForwardFailure=yes -o StrictHostKeyChecking=no -i %h/.ssh/servername-home-key -R 12345:localhost:22 remoteuser@servername # Restart every >2 seconds to avoid StartLimitInterval failure RestartSec=3 Restart=always [Install] WantedBy=multi-user.target
local user is the user that the ssh client will run as, not root. The ssh client will login to
servername as user
remoteuser using key
servername-home-key and forwards the client's local port
22 to the remote server's port
After that file is modified, start the service:
client $ sudo systemctl restart phone-home.service
Check to see if it started:
client $ sudo systemctl status -l phone-home.service phone-home.service - Phone Home Reverse SSH Service Loaded: loaded (/etc/systemd/system/phone-home.service; enabled) Active: active (running) since Thu 2014-02-20 20:40:32 PST; 4min 45s ago Main PID: 2559 (ssh) CGroup: /system.slice/phone-home.service └─2559 /usr/bin/ssh -NTC -o ServerAliveInterval=60 -o ExitOnForwardFailure=yes -o StrictHostKeyChecking=no -i /home/user/.ssh/core-home-fwd -R 12345:localhost:22 remoteuser@servername Feb 20 20:40:32 recon systemd: Started Phone Home Reverse SSH Service.
Finally, enable it to start at boot:
client $ sudo systemctl enable phone-home.service ln -s '/etc/systemd/system/phone-home.service' '/etc/systemd/system/multi-user.target.wants/phone-home.service'
Unfortunately there isn't an easy way to hook in to the network state and only start this service when the network is up. Perhaps this will be easier to fix in the future as systemd evolves with Linux distributions. Ideally it would be nice to say "start this if there is a default route that likely leads to the Internet".
Instead, the current implementation is a service that will attempt to connect to a remote server every 2 minutes and fail, not the end of the world but not perfect -- yet.