AutoSSH: the Terminal Necromancer's guide

AutoSSH: the Terminal Necromancer’s guide

This is somewhat of an addendum to my SSH blogpost. If you want to read about reverse SSH tunnels and get quickly up to speed, here you go.

Now, without further ado, let us begin.

What is AutoSSH?

AutoSSH, as the name implies, is a command that sets up a persistent SSH tunnel. Emphasis on persistent. If a regular SSH tunnel is not used for a while or if the connection gets interrupted, it shuts down. Not a huge deal if you are on the client end, but this is not what reverse SSH is usually used for. Reverse SSH tunnels, however, usually imply you don’t intend to be at the end-point for extended periods of time. It serves when you cannot SSH into your target box directly, but have access to a VPS that serves as the “crossroads”.

AutoSSH solves this issue by setting up an auto-resurrecting tunnel. If your connection breaks, it tries to connect again when the box gets back online.

There are many use cases, but let us get down to business and make you an SSH necromancer!

Prerequisites

While this first step is simple to anyone who has set up tunnels before, or basically anyone who knows what’s up with SSH, I’ll go over it anyway. First of all, we need to setup an SSH key. To set this up, let us assume the lay of the land first:

Server name: m4iler.ssh Endpoint name: raspberry.ssh

Setting up an SSH key

The issue with autossh is that even though it reconnects, it will not type in a password for you. That is why we first need to setup an ssh key that the endpoint uses to establish a reverse tunnel to our “Command&Control” server. I will assume you never did this before, so I’ll go from the start:

On your raspberry.ssh, run the following:

1) ssh-keygen. The script will walk you through. Basics are fine, if you want to password protect your key, you can, although it’s not really necessary, since you take care of your shit and don’t let unauthorized people play with it… right?

2) ssh-copy-id $USERNAME@m4iler.ssh This command copies the key you created to the server and associates it with the $USERNAME you put in. After you run the command, you need to put in the password for the username you selected. This is the last time you put that in, I promise.

3) ssh $USERNAME@m4iler.ssh Try your setup. If it is correct, the command will not ask for a password, it will provide the key and show you a terminal, just like that. No typing in your long-ass password, it’s just you and the machine.

So, we now have passwordless entry into our server. Your computers recognize each other and the authorization goes without your interaction.

CAUTION: If you ever have to reinstall your m4iler.ssh OS, don’t be alarmed: When you first try to connect, not only did the SSH key disappear, the reinstall will have also changed the fingerprint. Your raspberry.ssh PC will throw a tantrum about this (and believe me, it’s a good thing for security). Just follow the manual, delete the offending line in ~/.ssh/known_hosts and set up the key again.

Reverse tunnel in AutoSSH - How is it different?

If you haven’t read my post on reverse SSH tunnels, now’s the time. I don’t want to waste your time, so I’ll assume you’ve read it already.

AutoSSH has certain caveats that might trip a new user up (they tripped me up), so I’ll mention them:

Firstly, AutoSSH behaves like two commands: SSH, the script that actually runs the tunnel and works as you would expect it to, and the AutoSSH wrapper that provides extra functionality and stability when working with your tunnels.

Say we want to forward a tunnel and set it up persistently. Until the next shutdown, this program will… hold the door.

I’m assuming raspberrypi’s user is pi and m4iler.ssh has the main user m4iler

pi$ autossh -NR 1337:raspberry.ssh:22 m4iler@m4iler.ssh

Now, apart from the auto, this command is indistinguishable from the original. What perks does it give us?

It gives us the monitoring for our connection. It periodically pings your server and reestablishes a connection if you suffer a disconnect, provided you set up the SSH key properly (which is why I put this in the beginning). As long as the server is up and the client’s up, you’re good to go!

Next, let us talk about one more flag, the -f flag. What the -f flag does is purely autoSSH’s stuff, but I don’t see a case where it’s not useful. If you put -f after autossh, your connection drops to the background. So now it’s persistent and stays on after you log out of your box. Great!

This is enough knowledge to get you started in SSH necromancy. Get a cheap VPS, hook all your other boxes (any of them behind a firewall) to it via autossh and you can imagine a long corridor full of doors, each of them leading into a different part of your universe, to a different zombie computer! I could explain the white-hat and black-hat aspects of this, but I just present the tools, you use them as you wish.

Extending the tunnel

To paraphrase the modern-day Shakespeare, MC Ride: SSH is cool, but there’s more things in life. I wholeheartedly agree, that is why we’ll be setting up an OpenVPN server as well! This server will reside completely in your LAN, no opening ports in your router, just an SSH tunnel going outside and pointing back to our home server. From there, you can securely do whatever dirt you need. Print documents on the home server from the internet, I don’t judge. Make a little on-the-go lab (I know I am doing this right after I’m finished writing this).

First, install OpenVPN on your home server. I don’t care how you do it, I use a script to install and setup a client .ovpn file, you do you.

The OpenVPN setup script I use No guarantees on this code, I didn’t write that shit.

After you have everything set up, let me assume your setup runs on port 1194, raspberry.ssh. What we’ll do is use autossh to tunnel port 1194 on raspberry to port 2019 on m4iler.ssh.

There are a few things we need to modify a few lines in our config files.

Modifying OVPNs

Firstly, let us edit the client .ovpn file. Change the line proto udp to proto tcp. Secondly, the remote line should point to the server address and the tunnel entry port, in our case, the line will show remote m4iler.ssh 2019.

In the /etc/openvpn/server.conf, change proto udp to proto tcp and you’re done! Nothing more is needed of you. Let’s forward our port.

autossh -f -NR 2019:raspberry.ssh:1194 $USERNAME@m4iler.ssh

This command (taken apart earlier) opens port 2019 on our m4iler.ssh server and any traffic coming in on port 2019 will be automatically forwarded to port 1194 on raspberry.ssh.

To test your setup, connect to a network other than the one raspberry.ssh is connected to and run OpenVPN with the provided config file. If all went well, you are now connected to a VPN server running on raspberry.ssh and you have internal LAN access! Now, you can be home (and do needed maintenance) anywhere you are!

Conclusion

I hope this short topic was helpful and that I didn’t ramble too long. If you enjoyed this, e-mail me, or you can hit me up on Mastodon!

My new e-mail, just for this use-case, is m4iler [running on] cock dot email.

Love you all!

-m