Rogan Dawes
2016-Sep-23 09:16 UTC
SSH Enhancements - Delete StreamLocal forwards on disconnect, and bind to interface
Hi folks, I'm using OpenSSH to set up a rendezvous for a number of OpenWRT devices. Central server has the following configuration in sshd_config: # This is to work around a bug only fixed in OpenSSH 7.3 (most likely) StreamLocalBindUnlink yes Match User sshvpn ChrootDirectory /var/sshvpn/ AllowTCPForwarding no AllowStreamLocalForwarding yes StreamLocalBindUnlink yes Clients connect to the server using the following invocation, via autossh: /usr/bin/ssh -o CheckHostIP=yes -o LogLevel=INFO -o ServerAliveCountMax=2 -o ServerAliveInterval=120 -o StrictHostKeyChecking=yes -o TCPKeepAlive=yes -o StreamLocalBindUnlink=yes -o ExitOnForwardFailure=no -o BatchMode=yes -nN -R /sshvpn/gateway-78a3510e3b38:127.0.0.1:22 sshvpn at myserver I can then connect to the device from my central server using the following: ssh -o ?StrictHostKeyChecking=no? -o Proxycommand=?socat UNIX:/var/sshvpn/sshvpn/gateway-78a3510e3b38 -? -D 1085 root at gateway-78a3510e3b38 and subsequently access the device itself or any other hosts it can reach. This works pretty well! There are a couple of small things that would make this perfect: 1. sshd should be configurable to delete the StreamLocal file when the client disconnects. Otherwise it can be tricky to figure out which clients have an active,usable connection. Most times, I just get "the other end has disconnected" because socat cannot open the domain socket. 2. The devices are intended to be deployed into a customer environment, and may have wifi or ethernet uplink as well as 3G. I want to keep the 3G link up and accessible in case the ethernet or wifi uplinks fail for whatever reason. It seems to me that one way to achieve this is to have multiple autossh sessions running, each bound to the IP address of the ethernet/wifi/3g interfaces. This will ensure that each autossh instance will be routed via that interface, rather than the defaul troute. While this is doable with a bit of scripting, the addresses can change as the interfaces go up and down, and it seems to me that this is something that could be reasonably implemented in OpenSSH itself. e.g. with a -B eth0 option (analogous to -b <ip>). Any comments on these suggestions? Would patches to implement these be considered? Rogan