autossh is a program to start an SSH session and monitor it, restarting it as necessary should it die or stop passing traffic.
When following best practices laid out by Uberspace (every service should use its own Uberspace account), it can sometimes be necessary to connect two Uberspace hosts with each other privately. For example, this is the case if you are running an OpenLDAP installation on host A and want to use it for authentication for a Nextcloud installation on host B. autossh allows you to set up an automatically monitored tunnel between hosts to use for port forwarding.
For this guide you should be familiar with the basic concepts of
[isabell@stardust ~] wget http://www.harding.motd.ca/autossh/autossh-99.9f.tgz [isabell@stardust ~] tar zxf autossh-99.9f.tgz [isabell@stardust ~] cd autossh-99.9f [isabell@stardust autossh-99.9f]
make install (the
--prefix options tells make to install to your home directory):
[isabell@stardust autossh-99.9f] ./configure --prefix=$HOME [...] [isabell@stardust autossh-99.9f] make [...] [isabell@stardust autossh-99.9f] make install [...]
which autossh should return
~/bin/autossh. If not, check the output of the respective commands for errors.
Configuration and Usage¶
In order to use autossh comfortably, you need to define a connection in your
~/.ssh/config - for the sake of the example, let’s assume the following connection in
Host service-tunnel HostName tsudrats.uberspace.de User llebasi IdentityFile ~/.ssh/servicetunnel LocalForward 9000 localhost:9000
This configuration will forward the local port
9000 to the remote port
9000. It could be opened manually by calling
To ensure that the remote host and it’s key fingerprint are trusted, either add them manually to your
~/.ssh/known_hosts or connect to the host once, check the fingerprint and then answer
yes when prompted.
[isabell@stardust ~] ssh firstname.lastname@example.org exit The authenticity of host 'tsudrats.uberspace.de (220.127.116.11)' can't be established. ED25519 key fingerprint is SHA256:taekOiAJ0efuyKpBtDKuE9c04LXJqJhVNcP1ltr798E. ED25519 key fingerprint is MD5:dc:df:0a:f7:2c:cd:62:8a:7e:a3:d7:a1:43:56:0c:36:0. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'tsudrats.uberspace.de,18.104.22.168' (ED25519) to the list of known hosts.
This guide assumes that you have set up public key authentication (see
IdentityFile parameter in
~/.ssh/config). This is required as otherwise you will always be prompted for your password when trying to open the tunnel. See the Uberspace manual for setting up public key authentication if you don’t know how.
With the information from step 1, it is time to configure supervisord to handle our autossh process. Create the file
~/etc/services.d/autossh.ini with the following content:
[program:autossh] command=autossh -M 0 service-tunnel -T -N autostart=true autorestart=false
This will make sure that autossh is automatically started if the host reboots but ignore termination of autossh (which will only happen if there are repeated errors with the connection).
-M 0 will cause autossh not to send dummy data through the connection,
-T -N will launch a non-interactive ssh connection. After you have created the file, update the control daemon:
[isabell@stardust ~] supervisorctl reread autossh: available [isabell@stardust ~] supervisorctl update autossh: added process group [isabell@stardust ~] supervisorctl status autossh RUNNING pid 16184, uptime 0:00:02
Check the output of
supervisorctl status. If it’s not in state
RUNNING, something went wrong.
That’s it, you have successfully configured an automatically launching port forwarding tunnel between to hosts!Written by: Thomas Hoffmann <email@example.com>