Turtle Modifications For AutoSSH

How to make AutoSSH work better on your LAN Turtle

September 2, 2016

lan turtle autossh

UCI

change /etc/config/autossh to the following:

config autossh
        option gatetime '0'
        option monitorport '20000'
        option poll '600'
        option ssh '-i /root/.ssh/id_rsa -N -T -R 2222:localhost:22 user@my.example.box.com'

I experimented with turning off the monitor port in autossh and using ServerAliveInterval within SSH instead, and I found that whenever I needed to connect back over the tunnel it wasn’t working. The connection was up, but nothing was passing over it - SSH never realized that it was dead. Switching back to using the monitoring within AutoSSH keeps it up.

SSH config file

change ~root/.ssh/config to the following:

Host my.autossh.box.com
  User autossh
  Port 2222
  IdentityFile ~/.ssh/id_rsa
  RemoteForward 2222 localhost:22
  ServerAliveInterval 10
  ServerAliveCountMax 3
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null

Some of these items are redundant because they are also provided by the autossh script on the command line, but they’re great to have in your config file to allow testing via SSH directly.

The main thing here is the last two lines. This will prevent the Lan Turtle from failing to reconnect over SSH in the event that the host key changes. It does this by never storing the key (writing it to /dev/null) and not caring if it doesn’t know it to begin with.

Test

Test that this works first, using SSH:

root@turtle:~# ssh my.autossh.box.com
ECDSA host key for IP address '1.2.3.4' not in list of known hosts.
Welcome to Alpine!

e0b8187b35d8:~$ netstat -lnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:2222            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 :::2222                 :::*                    LISTEN
tcp        0      0 :::22                   :::*                    LISTEN

e0b8187b35d8:~$ nc localhost 2222
SSH-2.0-OpenSSH_6.6
^Cpunt!

This shows that you can ssh from your turtle to your remote box and that a connection back on the designated port gives the SSH banner (from the turtle).

Run AutoSSH

You can do this two ways. There is an init script in /etc/turtle/autostart_modules/ that does some mods to the uci configuration before calling the system init script. This is how the turtle will start autossh on boot, so it’s your safest bet.

root@turtle:~# /etc/turtle/autostart_modules/99-autossh start

Alternatively, if you just want to run autossh directly from uci, you can call the system init script.

root@turtle:~# /etc/init.d/autossh start

Additional slickery

So now that you have autossh running, wtf do you do with it?

On the server side you can run a command like this:

$ ssh -p 2222 root@localhost

That gets tedious. What if you have multiple inbound ssh tunnels open? Do you want to have to remember which port goes to which destination? Why not make your life easier?

In ~/.ssh/config you can put an entry like this:

Host target
  User root
  Port 2222
  Hostname localhost

Repeat as necessary for other destinations. Now all you have to do is:

$ ssh target

And you’re in like Flynn.