-
Notifications
You must be signed in to change notification settings - Fork 1
/
ssh_tunnel
executable file
·196 lines (170 loc) · 5.15 KB
/
ssh_tunnel
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
#!/bin/bash
# Martin A. Hansen, [email protected], 2014.
#
# Easy secure remote point-to-point login access
# ----------------------------------------------
#
# On Mac, Linux and Unix machines regular users without administrator
# priviledge can provide remote login access to each other very easily.
# The following describes how to do this in a secure way, even between
# machines behind firewalls. To a non-technical person this may sound
# insecure, but it is not.
#
# To do this, the ssh package is used to create a "reverse tunnel": if
# machine A should have access to machine B, then B first connects to
# A, then A gets into B via that connection. Before describing the
# steps, some background information:
#
# http://www.howtoforge.com/reverse-ssh-tunneling
# http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel
#
# Also take a look at the top sectionn of the accompanying ssh_tunnel
# script.
#
# Consider this scenario: machine B is behind a company firewall, but
# user B would like user A, who is not behind a firewall, to log into
# it for better customer support for example. Here are the steps to do
# that:
#
# * User A first tells B the IP-number or full domain name of A, and
# a user name and port on A, for B to connect to.
#
# * B edits ssh_tunnel and sets the variables
#
# REMOTE_USER (set to "a-user" in the examples below)
# REMOTE_HOST (set to "a-host" below )
# REVERSE_BIND (set to "a-port" below )
#
# to the values given by A.
#
# * B connects to A with
#
# ssh a-user@a-host
#
# on the command line. There will be a password prompt, and A must
# tell B the password, but this is just for getting into A the
# first time.
#
# * B creates password-less login on A. This is done by appending
#
# ~/.ssh/id_rsa.pub
#
# on B to
#
# ~/.ssh/authorized_keys
#
# in the agreed user account on A. If B does not have the id_rsa.pub
# file, then generate it by running
#
# ssh-keygen
#
# with no arguments and accept all defaults. Try log out of A and
# repeat the ssh login command above - there should now be no
# password prompt.
#
# * B starts the ssh_tunnel script like this:
#
# ./ssh_tunnel start
#
# If desired this can be done automatically when machine B starts,
# but this requires administrator rights.
#
# * A connects to B with
#
# ssh -p a-port b-user@localhost
#
# where b-user is the agreed account on B. There will be a password
# prompt and B must tell A the password.
#
# * A creates password-login on B. This is done as above, but appending
# A's ~/.ssh/id_rsa.pub file to B's ~/.ssh/authorized_keys file.
#
# A can now connect to B, without password prompt, with
#
# ssh -p a-port b-user@localhost
#
# This command can be aliased to some shortcut, like "blogin". In the
# same way, the SSH provides commands for copying files back and forth,
# which can also be aliased for convenience.
#
# To a non-technical person this may sound insecure, but it is not. It
# is a point-to-point connection that noone other than the two users on
# A and B - who trust each other - can use.
# ---------------------- EDIT THESE -----------------------------
# These variables should be changed between setups.
REMOTE_USER="test"
REMOTE_PORT=22
REMOTE_HOST="www.google.com"
REMOTE_USER_HOST="$REMOTE_USER@$REMOTE_HOST"
REVERSE_BIND=10002
# --------------------- IGNORE THESE ----------------------------
# These variables can be edited too, but it is usually not
# necessary.
REMOTE_PORT=22 # Not used?
REMOTE_USER_HOST="$REMOTE_USER@$REMOTE_HOST"
REVERSE_HOST="localhost"
REVERSE_PORT=22
REVERSE_BIND_HOST_PORT="$REVERSE_BIND:$REVERSE_HOST:$REVERSE_PORT"
SSH_OPTIONS="ServerAliveInterval=50"
LOG_FILE="$HOME/.tunnel_log"
CONTROL_PATH="$HOME/.tunnel_socket"
# -------------------------- CODE -------------------------------
SSH_OPTIONS="ServerAliveInterval=50"
LOG_FILE="$HOME/.tunnel_log"
CONTROL_PATH="$HOME/.tunnel_socket"
print_usage() {
echo "Usage: $0 <start|stop>" 1>&2
}
# Append a given message to the log file defined in $LOG_FILE.
log() {
local msg=$1
echo -e "`date`\t$msg" >> $LOG_FILE
}
# Find and return the PID for an SSH tunnel.
ssh_tunnel_pid() {
local pid=$(ssh -S $CONTROL_PATH -O check $REMOTE_USER_HOST 2>&1 | sed "s/[^0-9]//g")
echo $pid
}
# Start a new SSH tunnel.
ssh_tunnel_start() {
cmd="ssh -MS $CONTROL_PATH -fNngo $SSH_OPTIONS -R $REVERSE_BIND_HOST_PORT $REMOTE_USER_HOST"
msg="Starting ssh tunnel: $cmd"
echo "$msg" 1>&2
$cmd
log "$msg"
}
# Exit an SSH tunnel.
ssh_tunnel_exit() {
cmd="ssh -S $CONTROL_PATH -O exit $REMOTE_USER_HOST"
msg="Exiting ssh tunnel: $cmd"
echo "$msg" 1>&2
$cmd
log "$msg"
}
if [ $# -ne 1 ]; then
print_usage
exit 1
fi
COMMAND=$1
if [ "$COMMAND" == "start" ]; then
pid=$(ssh_tunnel_pid)
if [ "$pid" ]; then
msg="SSH tunnel already exists with PID: $pid"
echo "$msg" 1>&2
log "$msg"
else
ssh_tunnel_start
fi
elif [ "$COMMAND" == "stop" ]; then
if [ -e "$CONTROL_PATH" ]; then
ssh_tunnel_exit
else
msg="No SSH tunnel running"
echo "$msg" 1>&2
log "$msg"
fi
else
print_usage
exit 2
fi
exit 0