Re: ssh tunnel - remote access through nat
On 25.07.06 12:03 , Drew wrote: Hi, I've got a box that's nat'd out to the internet. It is occassionally neccessary for me to access this box remotely. The obvious answer is: ssh -R :localhost:22 remote.box cat run from the nat'd box where remote box is a place I pretty much always have access too from anywhere, anytime. The problem is that the connection between these two boxes is famously unreliable - so I need to ensure that this connection stays available. Unfortunately, the procedure for this is not obvious to me. I've thought about a cron job, as the connection would simply fail if it couldn't bind to on the remote box to listen. But I'm thinking there has to be something that makes more sense. Suggestions? Feedback? Thanks in advance for any pointers. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] You can look in /usr/ports/security/autossh here is a link too: http://www.jfranken.de/homepages/johannes/vortraege/ssh2_inhalt.de.html#ToC16 E. Solovyov -- Indecision is the basis for flexibility. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ssh tunnel - remote access through nat
Nikos Vassiliadis wrote: On Tuesday 25 July 2006 20:03, Drew wrote: Hi, I've got a box that's nat'd out to the internet. It is occassionally neccessary for me to access this box remotely. The obvious answer is: ssh -R :localhost:22 remote.box cat run from the nat'd box where remote box is a place I pretty much always have access too from anywhere, anytime. The problem is that the connection between these two boxes is famously unreliable - so I need to ensure that this connection stays available. Unfortunately, the procedure for this is not obvious to me. I've thought about a cron job, as the connection would simply fail if it couldn't bind to on the remote box to listen. But I'm thinking there has to be something that makes more sense. Suggestions? Feedback? Thanks in advance for any pointers. you can do something like this in bourne-like shells: while true; do ssh -N ... sleep 1 done and something like this in csh: while ( 1 ) ... end from ssh manual: -N Do not execute a remote command. This is useful for just for- warding ports (protocol version 2 only). The sleep command is used to add a little delay in case there is some- thing really wrong and ssh returns immediately, resulting in looping very fast. Then you just have to ensure that ssh will be aware of a dropped connection (by the means of keep-alives) and exit. You can do this with ssh, but you have configure keep-alives on both machines, client and server. An alternative method would be ipfw keep-alives for dynamic rules and you have to configure it only on the box you're ssh'ing from. It works very nice. In both cases you have to use public key authentication in order to log on automatically after a network failure. I guess it's already set up. A few pointers, read ssh, sshd, ssh-keygen and ipfw manuals HTH, Nikos Hello, I was just thinking along these lines this evening -- putting ssh in loop so that the tunnel is recreated whenever connection drops. However, I'd like to automate it somehow so that the machine creating tunnel can be restarted and it tries to open up tunnel when it boots up. The thing is that if I just simply create an rc script to achieve this, the script is run under root and ssh cannot make use of public key authentication which is set up now for a user running it manually. Or is there a way to change identity somehow or to run an rc script under different user account ?? Cheers, Martin ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ssh tunnel - remote access through nat
On Oct 10, 2006, at 2:55 PM, martinko wrote: [ ... ] The thing is that if I just simply create an rc script to achieve this, the script is run under root and ssh cannot make use of public key authentication which is set up now for a user running it manually. Or is there a way to change identity somehow or to run an rc script under different user account ?? Of course. One can use su - to run a command under another user, or use the ssh -i option to pass the user's identity (ie, their SSH private key) directly... -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ssh tunnel - remote access through nat
Chuck Swiger wrote: On Oct 10, 2006, at 2:55 PM, martinko wrote: [ ... ] The thing is that if I just simply create an rc script to achieve this, the script is run under root and ssh cannot make use of public key authentication which is set up now for a user running it manually. Or is there a way to change identity somehow or to run an rc script under different user account ?? Of course. One can use su - to run a command under another user, or use the ssh -i option to pass the user's identity (ie, their SSH private key) directly... ---Chuck su(1) usually asks for password. but it does not when run by root, of course. :-) i like `ssh -i`, too. only that i'll have to check whether it won't complain that identity file ownership doesn't match user running it. (which would be root i expect) also, i've been kindly reminded of cron(8) and its @reboot option. thank you all for your input! (i'd better go to bed now..;)) m. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ssh tunnel - remote access through nat
On Tuesday 25 July 2006 20:03, Drew wrote: Hi, I've got a box that's nat'd out to the internet. It is occassionally neccessary for me to access this box remotely. The obvious answer is: ssh -R :localhost:22 remote.box cat run from the nat'd box where remote box is a place I pretty much always have access too from anywhere, anytime. The problem is that the connection between these two boxes is famously unreliable - so I need to ensure that this connection stays available. Unfortunately, the procedure for this is not obvious to me. I've thought about a cron job, as the connection would simply fail if it couldn't bind to on the remote box to listen. But I'm thinking there has to be something that makes more sense. Suggestions? Feedback? Thanks in advance for any pointers. you can do something like this in bourne-like shells: while true; do ssh -N ... sleep 1 done and something like this in csh: while ( 1 ) ... end from ssh manual: -N Do not execute a remote command. This is useful for just for- warding ports (protocol version 2 only). The sleep command is used to add a little delay in case there is some- thing really wrong and ssh returns immediately, resulting in looping very fast. Then you just have to ensure that ssh will be aware of a dropped connection (by the means of keep-alives) and exit. You can do this with ssh, but you have configure keep-alives on both machines, client and server. An alternative method would be ipfw keep-alives for dynamic rules and you have to configure it only on the box you're ssh'ing from. It works very nice. In both cases you have to use public key authentication in order to log on automatically after a network failure. I guess it's already set up. A few pointers, read ssh, sshd, ssh-keygen and ipfw manuals HTH, Nikos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ssh tunnel - remote access through nat
Hi, I've got a box that's nat'd out to the internet. It is occassionally neccessary for me to access this box remotely. The obvious answer is: ssh -R :localhost:22 remote.box cat run from the nat'd box where remote box is a place I pretty much always have access too from anywhere, anytime. The problem is that the connection between these two boxes is famously unreliable - so I need to ensure that this connection stays available. Unfortunately, the procedure for this is not obvious to me. I've thought about a cron job, as the connection would simply fail if it couldn't bind to on the remote box to listen. But I'm thinking there has to be something that makes more sense. Suggestions? Feedback? Thanks in advance for any pointers. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ssh tunnel - remote access through nat
Drew wrote: Hi, I've got a box that's nat'd out to the internet. It is occassionally neccessary for me to access this box remotely. The obvious answer is: ssh -R :localhost:22 remote.box cat run from the nat'd box where remote box is a place I pretty much always have access too from anywhere, anytime. Um. Why not forward an open port like from whatever is doing NAT for this box to port 22 on it? If the NAT gateway is being assigned a dynamic IP, use dyndns.org and update script... -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
