Editing Reverse ssh
Warning: You are not logged in.
Your IP address will be recorded in this page's edit history.
The edit can be undone.
Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
- | Reverse | + | Reverse ssh is a term describing a method to connect to a destination host, when it's actually the host that is initiating the connection to a middle server. |
- | == | + | == Rational == |
- | If your | + | If your N900 (or any other linux machine) is hiding behind private ip addresses / firewalls / NATs that you cannot configure - basically unreachable, you can overcome these obstacles with reverse ssh. Further discussion is located in this [http://talk.maemo.org/showthread.php?p=696130#post696130 thread]. |
== How To == | == How To == | ||
- | Reverse | + | Reverse ssh depends on a common server, a machine that both the client (source) and the host (destination) can reach. |
+ | The host connects to the common server, waiting for the client to connect, then, the client connects to the common server, which in term forwards that connection to the host. | ||
== Incentive == | == Incentive == | ||
- | My N900 has unlimited | + | My N900 has unlimited 3g data connection, and I wanted to be able to ssh to it, even though it is using a private ip address which is unreachable. Reverse ssh made it possible. |
== Installation Steps == | == Installation Steps == | ||
The core of this "workaround" is very simple, it consists of : | The core of this "workaround" is very simple, it consists of : | ||
- | * Common server which has an | + | * Common server which has an ssh server accessible for both client and host |
- | * host runs the command: | + | * host runs the command : "ssh -N -C -p <commonServerPort> -R <forwardedPort>:127.0.0.1:<hostPort> commonServerHostname" |
- | * Example: | + | * Example : ssh -N -C -p 22 -R 2222:127.0.0.1:22 myHostname.no-ip.info |
- | * After connection has been set up (password is required when running the command above on the host(N900)) you connect to the common server using ssh and run the command | + | * After connection has been set up (password is required when running the command above on the host(N900)) you connect to the common server using ssh and run the command : ssh root@127.0.0.1 -p 2222 (as configured in the example). |
* You are now connected to the HOST. | * You are now connected to the HOST. | ||
== Pitfalls == | == Pitfalls == | ||
- | '''There are a few | + | '''There are a few short comings in this setup, most can be worked around.''' |
- | * In order to skip the password query on the HOST, one must copy the public SSH key from the host to the authorized_keys folder on the common server. In case your host is the Nokia N900, the file is located | + | * In order to skip the password query on the HOST, one must copy the public SSH key from the host to the authorized_keys folder on the common server. |
+ | In case your host is the Nokia N900, the file is located here : ./root/.ssh/id_dsa.pub | ||
** Some routers allow you to paste the contents of that file via the web gui of the router. (For example Tomato firmware for wrt routers) | ** Some routers allow you to paste the contents of that file via the web gui of the router. (For example Tomato firmware for wrt routers) | ||
- | * If the | + | * If the ssh connection between the host and the common server breaks, for any reason, we want it to be reconnected automatically, we can encapsulate the ssh command inside an infinite loop, using a while command : while true; do ssh -N -C -p 22 -R 2222:127.0.0.1:22 myHostname.no-ip.info; sleep 5; done |
* The command should be inserted into a script, for easy dispatch. | * The command should be inserted into a script, for easy dispatch. | ||
- | * It is possible to add the command to | + | * It is possible to add the command to /etc/network/if-up.d/ - this will cause it to get dispatched everytime 3g / wifi are connected, making your phone available immediately. |
- | + | * If the above method is used, a matching script must also be added to /etc/network/if-down.d/ to kill the looping ssh command to save some battery. | |
- | * When not used, and idle | + | * When not used, and idle ssh connection might fail, In order to make the phone close the SSH session and start a new one, and also try to maintain it, we can add 2 values to the ssh configuration of your phone. |
- | ** Open the file | + | ** Open the file /etc/ssh/ssh_config for editing using your favorite editor, mine is vi. |
** Insert the following lines into the file : | ** Insert the following lines into the file : | ||
- | *** | + | *** ExitOnForwardFailure yes |
- | *** | + | *** ServerAliveInterval 60 |
** The lines should be inserted right after the "Host *" line. | ** The lines should be inserted right after the "Host *" line. | ||
** I am not sure about BW usage for the "ServerAliveInterval" command, but it works for me, if you use it, make sure you monitor your network usage over a few days. | ** I am not sure about BW usage for the "ServerAliveInterval" command, but it works for me, if you use it, make sure you monitor your network usage over a few days. | ||
== Scripts & Files == | == Scripts & Files == | ||
- | + | * [[Image:Reverse_ssh.sh]] - This file should be located in /usr/share, you also need to edit it with the correct ports and hostname. | |
- | + | * [[Image:Reverse Ssh Stop.Sh]] - This file should also be in /usr/share. | |
- | + | * [[Image:Reverse Ssh If Down.Sh]] - This file should be in /etc/network/if-down.d/ - After copying this file, remove the .sh extension. | |
- | + | * [[Image:Reverse Ssh If Up.Sh]] - This file should be in /etc/network/if-up.d/ - After copying this file, remove the .sh extension. | |
- | + | * '''All files need to have executable permissions, I usually just do "chmod 777 <filename>" - But I reckon it's not very secure, so someone please clarify the minimum level of permissions needed.''' | |
- | This file should be located in | + | |
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | This file should also be in | + | |
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | This file should be in | + | |
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | This file should be in | + | |
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | < | + | |
== Warnings == | == Warnings == | ||
Line 84: | Line 47: | ||
* This may cause connectivity problems if you don't do something right. | * This may cause connectivity problems if you don't do something right. | ||
* This may compromise your phones security. | * This may compromise your phones security. | ||
- | |||
- | |||
- | |||
- | |||
- | |||
- | |||
== Credits == | == Credits == | ||
Special thanks to [http://talk.maemo.org/member.php?u=26108 Spanner] for helping me out in this [http://talk.maemo.org/showthread.php?p=696130#post696130 thread], none of this would have been possible for me without him. | Special thanks to [http://talk.maemo.org/member.php?u=26108 Spanner] for helping me out in this [http://talk.maemo.org/showthread.php?p=696130#post696130 thread], none of this would have been possible for me without him. | ||
- | Please feel free to edit this page if you have anything to add, I am not a | + | Please feel free to edit this page if you have anything to add, I am not a linux expert, and the directories I chose to put the files are totally random, they may not be the best places, but they are all very small so the impact is little. |
- | + | ||
- | + | ||
- | + |
Learn more about Contributing to the wiki.