from Hacker News

Autossh – automatically restart SSH sessions and tunnels

by denysonique on 9/28/24, 4:09 PM with 86 comments

  • by xk3 on 9/28/24, 6:21 PM

    If you have systemd, you could do this:

        [Unit]
    Description=look ma, no autossh
    After=network.target
    
    [Service]
    Type=exec
    ExecStart=/usr/bin/ssh -o ServerAliveInterval=60 -o ExitOnForwardFailure=yes -Nn -R 7070:localhost:22 pc 'sleep 20m'
    Restart=always
    RestartSec=20
    RuntimeMaxSec=30m
    
    [Install]
    WantedBy=default.target

  • by beagle3 on 9/28/24, 7:04 PM

    14 years ago, i was using auto ash to keep SSH tunnels up; but at some point (quite far back - perhaps 2016?) ssh gained everything needed to do this internally except the restart.

    At this point I configure all of the keep alive and retry options in ssh_config and sshd_config, and use

        While true; do ssh user@host ; sleep 10; done
    To get the same effect, but with much more flexibility - e.g. alternating connection addresses on a multihomed host, add logging, run from daemontools or systemd unit instead of a loop and let them track the process and restart, etc.

  • by vincentpants on 9/28/24, 5:56 PM

    Curious what advantages this has over mosh?

    https://mosh.org/

  • by cperciva on 9/29/24, 5:26 AM

    If your concern is to have secure tunnels between hosts, you should probably use spiped rather than SSH, since it uses a separate TCP connection for each pipe -- this avoids the "connection dropped" problem and also the "multiplexing many connections over one TCP connection" performance hit.

    Also, spiped is way simpler and more secure than SSH. (On my servers, I tunnel SSH over spiped, to protect the sshd from attacks.)

  • by eichin on 9/29/24, 12:13 AM

  • by paulfharrison on 9/29/24, 1:09 AM

    For web-servers on remote machines, I have found this useful:

      socat TCP4-LISTEN:1234,fork,bind=127.0.0.1 EXEC:'ssh my.remote.server nc 127.0.0.1 1234'
    1234 = local/remote port. Can be adapted to use unix sockets at the remote end. my.remote.server = your remote server address.

    This will set up a tunnel only when needed, and seems to play nicely with my browser.

  • by botto on 9/28/24, 7:01 PM

    I've used autossh to have a reverse tunnel open connection back to my work desktop, IT never found it and I had that in place for year

  • by hi-v-rocknroll on 9/28/24, 7:03 PM

    The last time I used autossh it was on a client site to keep 2 layers of ssh tunnels open to jump through their network isolation hoops.

    In general, when flexibility is possible, such a use-case nowadays would often be better served by deploying WireGuard. Grouchy, out-of-touch corporate net admins probably don't even know what it is and insist on their antiquated Cisco VPNs.

  • by bashkiddie on 9/28/24, 10:34 PM

    I used to be a happy user of `autossh` until 2023. I used it on Cygwin on Windows and was quite happy how reliably it set up my tunnels (upon tunnels) in a flaky corporate network. `autossh` worked reliable compared to `ssh`s many timeout options.

    I would still recommend it.

  • by mifydev on 9/28/24, 11:16 PM

    I’d recommend https://eternalterminal.dev/, compared to mosh(poor colors support), this is the only thing that manages to consistently keep up my ssh sessions.

  • by aborsy on 9/28/24, 9:22 PM

    Wouldn’t ssh with systemd or auto ssh be a more secure means of remote access to apps (like http/https apps) than the zero trust network access solutions (like Cloudflare Tunnels which terminates the TLS) or even Tailscale (which should be a trusted third party)?

    You set up public key authentication with SSH to a reverse proxy, a persistent tunnel, and a socks proxy. In a Firefox profile, you set localhost:port. Done! All your services are available in that browser all the time.

    Autossh with a reverse ssh tunnel can also be used to expose an internal service to the Internet through a VPS.

    SSH has been very secure over the decades. A good feature of SSH is that it can jump from host to host, unlike VPN.

  • by _davide_ on 9/29/24, 8:46 AM

    May I suggest a tool built for application level portals instead?

    https://github.com/build-trust/ockam

    One binary, easy to use, no ssh getting stuck! (yep, I work at Ockam :)

  • by isoprophlex on 9/28/24, 6:33 PM

    Not 100% the same use case as autossh was built for maybe, but I'm now simply throwing tailscale on every box i need to interact with. Does away with all the port forwarding stuff, it's absolutely delightful.

  • by dheera on 9/28/24, 7:11 PM

    autossh is nice but the default options suck. I have to do something like this for it to work well

        autossh -f -N -o ServerAliveCountMax=2 -o ServerAliveInterval=5 -o ConnectTimeout=5 -o BatchMode=yes [...]

  • by dingi on 9/28/24, 8:25 PM

    Sometime back, I had a rapsberry pi connected to wired network of a coworking space. I remember using autossh to keep a tunnel open with one of my VPS. Mainly used it as a torrent box. I added magnet links through qbittorrent webui installed on raspberry pi. Qbittorrent was configured to only run at night time to not cause issues for business work. Downloaded all sort of things easily reaching thousands of GBs throughout my time there. They never found out. Or they didn't care to look. Good times.

  • by sgt on 9/28/24, 6:20 PM

    Rather than using AutoSSH for port forwarding and such, I just create a systemd unit with a restart policy. Then you don't need autossh at all, just use ssh.

  • by ndreas on 9/28/24, 6:25 PM

    I used to use autossh to set up a SOCKS proxy to tunnel my web browser traffic via my home network and it worked really well. Also had a ControlMaster on the tunnel which made SSH connections to my server instantaneous.

    Nowadays I use wireguard an a dedicated SOCKS proxy. The upside is that I can access everything on my home network directly without having to tunnel.

  • by amelius on 9/28/24, 7:05 PM

    Nice tool, but I'm getting tired of using port numbers for everything instead of more descriptive strings. My system has more than 10 tunnels and servers running, and since I only do sysadmin work once every half year or so, the port numbers are very cumbersome to deal with.

  • by qwertox on 9/28/24, 8:51 PM

    I use this to set up reverse tunnels, for example to set up MongoDB replica sets which sync through SSH. It kind of simplifies the security aspect of replica sets a bit, since then MongoDB does not need to be exposed to the internet and no VPN setup is needed.

  • by frizlab on 9/28/24, 6:54 PM

    How is this different from this

        ssha () {
     while true
     do
      ssh "$@"
      sleep 1
     done
     true
    }
    EDIT: Oh I think I know, autossh must be detecting when the connexion is closed but ssh does not automatically…

  • by chasil on 9/28/24, 8:10 PM

    Use stunnel for non-interactive tunneling over TLS.

    It is much more straightforward than ssh for this purpose, and works well with socket activation under systemd.

    I use it with the systemd automounter to encrypt NFSv4, and I have found it to be quite reliable.

  • by leetrout on 9/28/24, 6:35 PM

    I used autossh to do terrible things securing redis back in 2013. Fantastic tool.

  • by jbverschoor on 9/29/24, 2:26 PM

    Can’t recommend… just loop ssh.

    I’ve run autossh for quite some time but it was not reliable enough under my conditions

  • by pawelduda on 9/28/24, 11:33 PM

    I used autossh to access hundreds of on prem client machines via a reverse SSH tunnel. Never failed me!

  • by whatever1 on 9/29/24, 5:36 AM

    Why SSH does not do this by default? Why the average Joe wants his SSH session to timeout?

  • by 89nn on 9/28/24, 11:32 PM

    Is there anything like this but for `kubectl port-forward`?

  • by whalesalad on 9/28/24, 10:02 PM

    mosh