This repository contains systemd units that define a service to maintain a permanent SSH reverse tunnel.
To set up the service, please follow the following steps on the local machine and remote host.
You must list the public key in the authorized_keys file on
the remote machine.
To restrict the permissions of the connecting user, specify that they can't run any commands and may only connect from a restricted range of addresses. See: Configuring Authorized Keys for OpenSSH
from="$address",command="$command" $ssh_public-key
For example:
from="132.235.0.0/16",command="/bin/true" ssh-rsa AAAAB3Nza...cDR5yDhRte2SWk=
If we trust the server and know its fingerprint is correct, we can add its SSH key fingerprint to our known_hosts file
using ssh-keyscan.
# Get SSH key fingerprint
destination="iot.bugtrack.org.uk"
ssh-keyscan -H $destination >> ~/.ssh/known_hosts
# Install systemd units
cp --recursive --verbose scripts/systemd/* /etc/systemd/system
systemctl daemon-reload
# Activate the service
systemctl enable ssh-tunnel.serviceEdit the environment variables in the systemd override configuration files
located at /etc/systemd/system/ssh-tunnel.service.d/*.conf
The service is controlled using systemctl.
# Start
systemctl start ssh-tunnel.service
# Stop
systemctl stop ssh-tunnel.serviceTo view the service status, use systemctl like so:
systemctl status ssh-tunnelTo view the logs, use journalctl.
For example, to show the last 40 lines of information:
journalctl --unit=ssh-tunnel --lines=40