Meu túnel ssh reverso está usando keepalives, mas eles não estão ajudando

7

Eu tenho uma máquina cliente ssh picard atrás de várias conexões de internet não confiáveis - todas com NAT.

Eu tenho meu servidor time , confiável com um IP estático. Eu quero ser capaz de acessar o picard thorugh time . Eu fiz isso antes:

$ ssh -N -R 19999:localhost:22 [email protected]

Isso funciona, mas se houver um problema ele sai e não reinicia, e ele não inicia na inicialização, então agora eu adiciono um serviço systemd para executar:

/bin/bash -c "while true; do /usr/bin/ssh -i <unencrypted key> \
  -o ServerAliveInterval=10 -v -o ServerAliveCountMax=6 -N \
    -R 19999:localhost:22 [email protected]; sleep 5; done"'

while true ... sleep 5    # re-runs ssh if it exits
  • -o ServerAliveInterval=10 envia um keep-alive a cada 10 segundos
  • -o ServerAliveCountMax=6 sai se 6 keep-alives sair sem resposta
  • -v mantém informações de depuração em /var/log/messages por meio do systemd

No lado do servidor, adicionei algumas linhas a sshd_config :

KeepAlive yes
ClientAliveInterval 10
ClientAliveCountMax 6

Idéia do cliente - interrompa a conexão após 60 segundos de inatividade.

Infelizmente, parece demorar mais de um minuto para reiniciar:

< tunnel is up and keepalives are coming in >
Jun  7 17:31:02 picard bash[135]: debug1: client_input_global_request: rtype [email protected] want_reply 1
Jun  7 17:31:12 picard bash[135]: debug1: client_input_global_request: rtype [email protected] want_reply 1
Jun  7 17:31:15 picard bash[135]: debug1: client_input_channel_open: ctype forwarded-tcpip rchan 2 win 2097152 max 32768
Jun  7 17:31:15 picard bash[135]: debug1: client_request_forwarded_tcpip: listen localhost port 19998, originator 127.0.0.1 port 38267
Jun  7 17:31:15 picard bash[135]: debug1: connect_next: host localhost ([127.0.0.1]:22) in progress, fd=4
Jun  7 17:31:15 picard bash[135]: debug1: channel 0: new [127.0.0.1]
Jun  7 17:31:15 picard bash[135]: debug1: confirm forwarded-tcpip
Jun  7 17:31:15 picard bash[135]: debug1: channel 0: connected to localhost port 22
Jun  7 17:31:20 picard systemd-logind[137]: New session 1 of user main_username.
< I break eth0 and plug it back in after NM sees it's down >
< eth0 is back up within a few seconds >
< nothing happens with my ssh connection for a LONG time >
Jun  7 17:54:16 picard bash[135]: Write failed: Broken pipe
Jun  7 17:54:22 picard bash[135]: OpenSSH_6.1p1, OpenSSL 1.0.1c-fips 10 May 2012
Jun  7 17:54:22 picard bash[135]: debug1: Reading configuration data /etc/ssh/ssh_config
Jun  7 17:54:22 picard bash[135]: debug1: /etc/ssh/ssh_config line 50: Applying options for *
Jun  7 17:54:22 picard bash[135]: debug1: Connecting to my.domain [123.234.123.234] port 22.
Jun  7 17:54:22 picard bash[135]: debug1: Connection established.
Jun  7 17:54:23 picard bash[135]: debug1: identity file /home/test/.ssh/id_rsa type 1
Jun  7 17:54:23 picard bash[135]: debug1: identity file /home/test/.ssh/id_rsa-cert type -1
Jun  7 17:54:23 picard bash[135]: debug1: Remote protocol version 2.0, remote software version OpenSSH_5.8p1 Debian-1ubuntu3
Jun  7 17:54:23 picard bash[135]: debug1: match: OpenSSH_5.8p1 Debian-1ubuntu3 pat OpenSSH_5*
Jun  7 17:54:23 picard bash[135]: debug1: Enabling compatibility mode for protocol 2.0
Jun  7 17:54:23 picard bash[135]: debug1: Local version string SSH-2.0-OpenSSH_6.1
Jun  7 17:54:23 picard bash[135]: debug1: SSH2_MSG_KEXINIT sent
Jun  7 17:54:23 picard bash[135]: debug1: SSH2_MSG_KEXINIT received
Jun  7 17:54:23 picard bash[135]: debug1: kex: server->client aes128-ctr hmac-md5 none
Jun  7 17:54:23 picard bash[135]: debug1: kex: client->server aes128-ctr hmac-md5 none
Jun  7 17:54:23 picard bash[135]: debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
Jun  7 17:54:23 picard bash[135]: debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
Jun  7 17:54:23 picard bash[135]: debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
Jun  7 17:54:23 picard bash[135]: debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
Jun  7 17:54:23 picard bash[135]: debug1: Server host key: RSA 7a:19:72:9d:f5:39:f5:03:cf:16:b2:ee:fc:a4:e6:ba
Jun  7 17:54:23 picard bash[135]: debug1: Host 'my.domain' is known and matches the RSA host key.
Jun  7 17:54:23 picard bash[135]: debug1: Found key in /home/test/.ssh/known_hosts:1
Jun  7 17:54:23 picard bash[135]: debug1: ssh_rsa_verify: signature correct
Jun  7 17:54:23 picard bash[135]: debug1: SSH2_MSG_NEWKEYS sent
Jun  7 17:54:23 picard bash[135]: debug1: expecting SSH2_MSG_NEWKEYS
Jun  7 17:54:23 picard bash[135]: debug1: SSH2_MSG_NEWKEYS received
Jun  7 17:54:23 picard bash[135]: debug1: Roaming not allowed by server
Jun  7 17:54:23 picard bash[135]: debug1: SSH2_MSG_SERVICE_REQUEST sent
Jun  7 17:54:23 picard bash[135]: debug1: SSH2_MSG_SERVICE_ACCEPT received
Jun  7 17:54:23 picard bash[135]: debug1: Authentications that can continue: publickey,password
Jun  7 17:54:23 picard bash[135]: debug1: Next authentication method: publickey
Jun  7 17:54:23 picard bash[135]: debug1: Offering RSA public key: /home/test/.ssh/id_rsa
Jun  7 17:54:23 picard bash[135]: debug1: Server accepts key: pkalg ssh-rsa blen 279
Jun  7 17:54:23 picard bash[135]: debug1: read PEM private key done: type RSA
Jun  7 17:54:24 picard bash[135]: debug1: Authentication succeeded (publickey).
Jun  7 17:54:24 picard bash[135]: Authenticated to my.domain ([123.234.123.234]:22).
Jun  7 17:54:24 picard bash[135]: debug1: Remote connections from LOCALHOST:19999 forwarded to local address localhost:22
Jun  7 17:54:24 picard bash[135]: debug1: Requesting [email protected]
Jun  7 17:54:24 picard bash[135]: debug1: Entering interactive session.
Jun  7 17:54:24 picard bash[135]: debug1: remote forward success for: listen 19999, connect localhost:22
Jun  7 17:54:24 picard bash[135]: debug1: All remote forwarding requests processed
Jun  7 17:54:44 picard bash[135]: debug1: client_input_global_request: rtype [email protected] want_reply 1
Jun  7 17:54:45 picard bash[135]: debug1: client_input_channel_open: ctype forwarded-tcpip rchan 2 win 2097152 max 32768
Jun  7 17:54:45 picard bash[135]: debug1: client_request_forwarded_tcpip: listen localhost port 19999, originator 127.0.0.1 port 60222
Jun  7 17:54:45 picard bash[135]: debug1: connect_next: host localhost ([127.0.0.1]:22) in progress, fd=4
Jun  7 17:54:45 picard bash[135]: debug1: channel 0: new [127.0.0.1]
Jun  7 17:54:45 picard bash[135]: debug1: confirm forwarded-tcpip
Jun  7 17:54:45 picard bash[135]: debug1: channel 0: connected to localhost port 22
Jun  7 17:54:50 picard systemd-logind[137]: New session 3 of user main_username.
< whenever I connect the keepalive debug messages stop coming, not sure if this is normal >

Tenho certeza que negligenciei algo. Eu vi alguns projetos como autossh que fazem praticamente a mesma coisa que estou fazendo agora, mas gostaria de poder corrigir isso se possível. Como faço para diminuir o atraso para 2-3 minutos em vez de 23 minutos?

    
por Vasiliy Sharapov 07.06.2013 / 20:43

1 resposta

4

E se você usasse uma ferramenta como autossh para manter suas conexões ssh? Eu uso o autossh para manter ambos um smtp (porta 25) e imap (porta 143) abertos no meu laptop de volta através de um servidor na internet com vários servidores atrás dele que estão acessando a internet via NAT.

                                                              smtp (25)
                                                               __  _   
                                                              [__]|=|  
                                                              /::/|_|  
 laptop          .-,(  ),-.         Ext. Host      Int. Host      ^
  (22)        .-(          )-.         (22)           (22)        |
  __  _ ---->(    internet    )----> __  _   -----> __  _   ------.
 [__]|=|      '-(          ).-'     [__]|=|        [__]|=|        |
 /::/|_|          '-.( ).-'         /::/|_|        /::/|_|        v
                                                             imap (143)
                                                              __  _    
                                                             [__]|=|   
                                                             /::/|_|   

Com a configuração acima, eu uso o seguinte comando autossh para configurá-lo no meu laptop:

autossh -M 0 -f -N -L 2025:localhost:25 -L 2143:localhost:143 me@int-host

No meu arquivo $HOME/.ssh/config , configurei uma regra de host assim:

Host int-host
    ProxyCommand ssh me@ext-host nc int-host %p
    
por 08.06.2013 / 03:29