How to reliably keep an SSH tunnel open?
I use an SSH tunnel from work to go around various idotic firewalls (it's ok with my boss :)). The problem is, after a while the ssh connection usually hangs, and the tunnel is broken.
If I could at least monitor the tunnel automatically, I could restart the tunnel when it hangs, but I haven't even figured a way of doing that.
Bonus points for the one who can tell me how to prevent my ssh connection from hanging, of course!
linux networking security ssh shell
add a comment |
I use an SSH tunnel from work to go around various idotic firewalls (it's ok with my boss :)). The problem is, after a while the ssh connection usually hangs, and the tunnel is broken.
If I could at least monitor the tunnel automatically, I could restart the tunnel when it hangs, but I haven't even figured a way of doing that.
Bonus points for the one who can tell me how to prevent my ssh connection from hanging, of course!
linux networking security ssh shell
It is your tunnel dead because inactivity? I had this problem when tunneling ports from my phone so i finally ended spawning dummy commands on the connection to make it "alive" using thewatch
command like:watch -n1 60 echo "wiiiii"
. Tunnel will not die unless network is broken or you don't use it.
– erm3nda
Feb 10 '17 at 2:07
Related: unix.stackexchange.com/q/200239
– sampablokuper
Dec 29 '17 at 16:28
add a comment |
I use an SSH tunnel from work to go around various idotic firewalls (it's ok with my boss :)). The problem is, after a while the ssh connection usually hangs, and the tunnel is broken.
If I could at least monitor the tunnel automatically, I could restart the tunnel when it hangs, but I haven't even figured a way of doing that.
Bonus points for the one who can tell me how to prevent my ssh connection from hanging, of course!
linux networking security ssh shell
I use an SSH tunnel from work to go around various idotic firewalls (it's ok with my boss :)). The problem is, after a while the ssh connection usually hangs, and the tunnel is broken.
If I could at least monitor the tunnel automatically, I could restart the tunnel when it hangs, but I haven't even figured a way of doing that.
Bonus points for the one who can tell me how to prevent my ssh connection from hanging, of course!
linux networking security ssh shell
linux networking security ssh shell
asked Sep 8 '09 at 13:04
PeltierPeltier
2,21953153
2,21953153
It is your tunnel dead because inactivity? I had this problem when tunneling ports from my phone so i finally ended spawning dummy commands on the connection to make it "alive" using thewatch
command like:watch -n1 60 echo "wiiiii"
. Tunnel will not die unless network is broken or you don't use it.
– erm3nda
Feb 10 '17 at 2:07
Related: unix.stackexchange.com/q/200239
– sampablokuper
Dec 29 '17 at 16:28
add a comment |
It is your tunnel dead because inactivity? I had this problem when tunneling ports from my phone so i finally ended spawning dummy commands on the connection to make it "alive" using thewatch
command like:watch -n1 60 echo "wiiiii"
. Tunnel will not die unless network is broken or you don't use it.
– erm3nda
Feb 10 '17 at 2:07
Related: unix.stackexchange.com/q/200239
– sampablokuper
Dec 29 '17 at 16:28
It is your tunnel dead because inactivity? I had this problem when tunneling ports from my phone so i finally ended spawning dummy commands on the connection to make it "alive" using the
watch
command like: watch -n1 60 echo "wiiiii"
. Tunnel will not die unless network is broken or you don't use it.– erm3nda
Feb 10 '17 at 2:07
It is your tunnel dead because inactivity? I had this problem when tunneling ports from my phone so i finally ended spawning dummy commands on the connection to make it "alive" using the
watch
command like: watch -n1 60 echo "wiiiii"
. Tunnel will not die unless network is broken or you don't use it.– erm3nda
Feb 10 '17 at 2:07
Related: unix.stackexchange.com/q/200239
– sampablokuper
Dec 29 '17 at 16:28
Related: unix.stackexchange.com/q/200239
– sampablokuper
Dec 29 '17 at 16:28
add a comment |
15 Answers
15
active
oldest
votes
Sounds like you need autossh. This will monitor an ssh tunnel and restart it as needed. We've used it for a couple of years and it seems to work well.
autossh -M 20000 -f -N your_public_server -R 1234:localhost:22 -C
More details on the -M parameter here
2
+1 for autossh, it does what it says on the tin. I believe part of its functionality also is to send keep-alive style packets to prevent any kind of timeout.
– akent
Sep 8 '09 at 13:55
27
Could you put the example tunnel usingautossh
in the answer?
– Ehtesh Choudhury
Dec 20 '12 at 21:45
3
autossh -f -nNT -i ~/keypair.pem -R 2000:localhost:22 username@myoutsidebox.com
You might notice that I set this up using -nNT which doesn't create a remote terminal so that I can put autossh into the background, and the -i option for SSH to use a .pem file. If you're going to be keeping a connection open all the time, I definitely recommend going through the extra setup.
– juckele
Aug 31 '15 at 20:01
2
For what it's worth, it looks like it's typically better to omit the-M
parameter: bugs.debian.org/cgi-bin/bugreport.cgi?bug=351162
– rinogo
Sep 15 '15 at 22:40
1
How does that work if I have a passphrase ? would it store that passphrase in a keychain ( for example on a mac ) ?
– Yannick Y
Nov 6 '17 at 16:08
|
show 6 more comments
All stateful firewalls forget about a connection after not seeing a packet for that connection for some time (to prevent the state tables from becoming full of connections where both ends died without closing the connection). Most TCP implementations will send a keepalive packet after a long time without hearing from the other side (2 hours is a common value). If, however, there is a stateful firewall which forgets about the connection before the keepalive packets can be sent, a long-lived but idle connection will die.
If that is the case, the solution is to prevent the connection from becoming idle. OpenSSH has an option called ServerAliveInterval which can be used to prevent the connection from being idle for too long (as a bonus, it will detect when the peer died sooner even if the connection is idle).
The interval specified is in seconds, so you can provide some fine tuning. If your stateful firewall has a 5 minute idle timeout, then 60 or 120 seconds is enough to keep the connection open. It's one of the ways I keep my ssh sessions through my home router open.
– Darren Hall
Dec 2 '09 at 21:16
Thanks, this helped. But note (from a lower-ranked answer here, superuser.com/a/146641/115515) that if you specify ServerAliveInterval and not ServerAliveCountMax, you may find ssh intentionally disconnecting sooner than you wanted.
– metamatt
Jan 26 '12 at 21:54
4
@metamatt, that lower-ranked answer you reference is lower-ranked for good reason: IT IS WRONG.
– Lambart
Feb 20 '14 at 0:14
add a comment |
On your own mac or linux machine configure your ssh keep the server ssh alive every 3 minutes. Open a terminal and go your your invisible .ssh in your home:
cd ~/.ssh/
then create a 1 line config file with:
echo "ServerAliveInterval 180" >> config
you should also add:
ServerAliveCountMax xxxx (high number)
the default is 3 so ServerAliveInterval 180 will stop sending after 9 minutes (3 of the 3-minute interval specified by ServerAliveInterval).
2
Note that your command is not recommended if you already have a config file. Using >> for redirection would be a lot better!
– Peltier
Mar 18 '11 at 9:34
why doesServerAliveInterval 180
give us 6 minutes? intuition makes me try this :180/60 == 3
. So, doesServerAliveInterval
work in multiples of 30 secs?
– nemesisfixx
Nov 30 '11 at 14:37
@mcnemesis: ServerAliveInterval 180 means 3 minutes. ServerAliveCountMax default of 3 means 3 of those intervals, so 9 minutes.
– metamatt
Jan 26 '12 at 21:50
1
I'm voting this answer up because thanks for mentioning ServerAliveCountMax, and what happens if you specify ServerAliveInterval without ServerAliveCountMax. But like the preceding comments, I notice the calculation on "will stop sending after" is wrong, and I think this answer would serve better if it just gave the information on these options, not telling us how to apply them with cd and echo commands.
– metamatt
Jan 26 '12 at 21:51
16
Downvoting because it makes no sense to set ServerAliveCountMax to a "high number". ServerAliveCountMax specifies how many times it will try to send the "keepalive" message before giving up. The default is 3, so with ServerAliveInterval 180, it will stop sending ONLY if the server has NOT RESPONDED after 9 minutes, in which case your connection is probably well and truly dead.
– Lambart
Feb 20 '14 at 0:13
add a comment |
I've used the following Bash script to keep spawning new ssh tunnels when the previous one dies. Using a script is handy when you don't want or can't install additional packages or use compiler.
while true
do
ssh <ssh_options> [user@]hostname
sleep 15
done
Note that this requires a keyfile to establish the connection automatically but that is the case with autossh, too.
1
You should add any reasons that you'd use this script over autossh, or is it just that it's easier this way?
– kyrias
Oct 20 '12 at 17:25
4
This wouldn't help if ssh itself freezes, would it?
– nafg
Nov 25 '13 at 23:59
1
It helps if you can't install things in the server. autossh doesn't come preinstalled and bureucracy it's sometimes very obtuse.
– quarkex
Mar 13 '17 at 15:13
Yes, preferable not to have to install things. I've been doing it this way for a year as my only way to keep a remote machine accessible (even set crontab to run it upon reboot). It's never failed, and more importantly, I know why it will never fail.
– sudo
Apr 2 '18 at 6:42
add a comment |
Systemd is ideally suited for this.
Create a service file /etc/systemd/system/sshtunnel.service
containing:
[Unit]
Description=SSH Tunnel
After=network.target
[Service]
Restart=always
RestartSec=20
User=sshtunnel
ExecStart=/bin/ssh -NT -o ServerAliveInterval=60 -L 5900:localhost:5900 user@otherserver
[Install]
WantedBy=multi-user.target
(Modify the ssh command to suit)
- this will run as user
sshtunnel
so make sure that user exists first - issue
systemctl enable sshtunnel
to set it to start at boot time - issue
systemctl start sshtunnel
to start immediately
Update Jan 2018: some distros (e.g. Fedora 27) may use SELinux policy to prevent the use of SSH from systemd init, in which case a custom policy will need to be created to provide the necessary exemptions.
2
This looks very similar to my gist: gist.github.com/guettli/… Feedback is welcome!
– guettli
Dec 22 '17 at 11:47
Excellent for asystemd
system. If one usesRestart=on-failure
then manually killing the SSH client will not result in a restart-by-systemd as the SSH client with exit with success.
– David Tonhofer
Mar 22 '18 at 19:36
If you want to start ssh from a (bash) script given as argument toExecStart
for example to build thessh
argument list, do basic checks etc then call it from the script like soexec /bin/ssh -N ...
. Here is my command:exec /bin/ssh -N -oExitOnForwardFailure=Yes -oTCPKeepAlive=no -oServerAliveInterval=5 -oServerAliveCountMax=6 -i "${LOCAL_PRIVATE_KEY}" -L "${TUNNEL_INLET}:${TUNNEL_OUTLET}" "${REMOTE_USER}@${REMOTE_MACHINE}"
whereTUNNEL_INLET="127.0.0.1:3307"
andTUNNEL_OUTLET="127.0.0.1:3306"
– David Tonhofer
Mar 22 '18 at 19:42
add a comment |
It sure looks to me that you're all misinterpreting ServerAliveCountMax. As I understand the docs, it is the number of server alive messages which can go unanswered without the connection being terminated. So in cases like we're discussing here, setting it to a high value will just ensure that a hung connection will not be detected and terminated!
Simply setting ServerAliveInterval should be sufficient to solve the problem with a firewall forgetting about the connection, and leaving ServerAliveCountMax low will allow the originating end to notice the failure and terminate if the connection fails anyway.
What you want is, 1) for the connection to stay open permanently under normal circumstances, 2) for connection failure to be detected and the originating side to exit on failure, and 3) for the ssh command to be re-issued every time it exits (how you do that is very platform dependent, the "while true" script suggested by Jawa is one way, on OS X I actually set up a launchd item).
add a comment |
Always use ServerAliveInterval
SSH option in case the tunnel issues are generated by expired NAT sessions.
Always use a respawning method in case the connectivity goes down entirely, you have at least three options here:
- autossh program
- bash script (
while true do ssh ...; sleep 5; done
) do not remove the sleep command,ssh
may fail quickly and you'll respawn too many processes
/etc/inittab
, to have access to a box shipped and installed in another country, behind NAT, without port forwarding to the box, you can configure it to create an ssh tunnel back to you:
tun1:2345:respawn:/usr/bin/ssh -i /path/to/rsaKey -f -N -o "ServerAliveInterval 180" -R 55002:localhost:22 user@publicip 'sleep 365d'
upstart script on Ubuntu, where
/etc/inittab
is not available:
start on net-device-up IFACE=eth0
stop on runlevel [01S6]
respawn
respawn limit 180 900
exec ssh -i /path/to/rsaKey -N -o "ServerAliveInterval 180" -R 55002:localhost:22 user@publicip
post-stop script
sleep 5
end script
or always use both methods.
1
+1 for inline option in case you don't want it for all of your SSH connections
– user1146334
Jul 7 '14 at 14:29
You write "in case connectivity goes down entirely". Now I don't understand, what problems does autossh fix itself, and what does it not? I thought, of course, it would take care of any broken connection, like unplugging the cable for a few hours, but perhaps not?
– Mads Skjern
May 12 '16 at 19:02
add a comment |
I solved this problem with this:
Edit
~/.ssh/config
And add
ServerAliveInterval 15
ServerAliveCountMax 4
According to man page for ssh_config:
ServerAliveCountMax
Sets the number of server alive messages (see below) which may be
sent without ssh(1) receiving any messages back from the server.
If this threshold is reached while server alive messages are
being sent, ssh will disconnect from the server, terminating the
session. It is important to note that the use of server alive
messages is very different from TCPKeepAlive (below). The server
alive messages are sent through the encrypted channel and there‐
fore will not be spoofable. The TCP keepalive option enabled by
TCPKeepAlive is spoofable. The server alive mechanism is valu‐
able when the client or server depend on knowing when a connec‐
tion has become inactive.
The default value is 3. If, for example, ServerAliveInterval
(see below) is set to 15 and ServerAliveCountMax is left at the
default, if the server becomes unresponsive, ssh will disconnect
after approximately 45 seconds. This option applies to protocol
version 2 only.
ServerAliveInterval
Sets a timeout interval in seconds after which if no data has
been received from the server, ssh(1) will send a message through
the encrypted channel to request a response from the server. The
default is 0, indicating that these messages will not be sent to
the server. This option applies to protocol version 2 only.
Every 15 seconds seems pretty often to ping the server.
– Lambart
Feb 20 '14 at 0:08
@Lambart but if the connection is really flaky and drops connections often, it at least detects a dead connection and gives the opportunity to retry earlier.
– binki
Dec 13 '14 at 2:00
add a comment |
ExitOnForwardFailure yes
is a good adjunct to the other suggestions. If it connects but can't establish the port forwarding it's just as useless to you as if it hadn't connected at all.
This is a very good idea. Even autossh is useless if the previous connection is perceived as timed out earlier in the remote side than in the local host, since in this case the local host will try to connect again, but the forwarding cannot be established because the port is still open.
– Raúl Salinas-Monteagudo
May 24 '17 at 7:42
add a comment |
I've had a need to maintain an SSH-tunnel long-term. My solution was running from a Linux server, and it's just a small C program that respawns ssh using key-based authentication.
I'm not sure about the hanging, but I've had tunnels die due to timeouts.
I would love to provide the code for the respawner, but I can't seem to find it right now.
add a comment |
while there are tools like autossh that helps to restart ssh session... what i find to be really useful is to run the 'screen' command. It allows you to RESUME your ssh sessions even after you disconnect. Especially useful if your connection is not as reliable as it should be.
- http://www.howtogeek.com/howto/ubuntu/keep-your-ssh-session-running-when-you-disconnect/
...don't forget to mark this is the 'correct' answer if it helps you k! ;-)
5
... but the question was about how to keep SSH tunnels open, not just a terminal session. Screen IS great though!
– akent
Sep 8 '09 at 14:15
I already use screen, but it doesn't solve my problem :-/ Thanks for your answer, though.
– Peltier
Sep 8 '09 at 14:15
add a comment |
A bit of a hack, but I like to use screen to keep this. I currently have a remote forward that has been running for weeks.
Example, starting locally:
screen
ssh -R ......
When the remote forward is applied, and you have a shell on the remote computer:
screen
Ctrl + a + d
You now have an uninterrupted remote forward. The trick is to run screen on both ends
add a comment |
Recently had this issue myself, because these solutions require you to re-enter the password every time if you use a password login I used sshpass in a loop along with a text prompt to avoid having the password in the batch file.
Thought I'd share my solution on this thead in case anyone else has the same issue:
#!/bin/bash
read -s -p "Password: " pass
while true
do
sshpass -p "$pass" ssh user@address -p port
sleep 1
done
add a comment |
I have had similar problems with my previous ISP.
For me it was the same with any tcp connection, visiting websites or sending mail.
The solution was to configure a VPN connection over UDP(I was using OpenVPN). This connection was more tolerant to whatever caused the disconnections. Then you can run any service through this connection.
There can still be issues with the connection but since the tunnel will be more tolerant any ssh session will feel a short holdup rather than being disconnected.
To do this you will need a VPN service online which you can setup on your own server.
add a comment |
As autossh
does not meet our needs (it exists with error if it can't connect to the server at the very first attempt), we've written a pure bash application: https://github.com/aktos-io/link-with-server
It creates a reverse tunnel for the NODE's sshd port (22) on the server by default. If you need to perform any other actions (like forwarding additional ports, sending mails on connection, etc...) you can place your scripts on-connect
and on-disconnect
folders.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f37738%2fhow-to-reliably-keep-an-ssh-tunnel-open%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
15 Answers
15
active
oldest
votes
15 Answers
15
active
oldest
votes
active
oldest
votes
active
oldest
votes
Sounds like you need autossh. This will monitor an ssh tunnel and restart it as needed. We've used it for a couple of years and it seems to work well.
autossh -M 20000 -f -N your_public_server -R 1234:localhost:22 -C
More details on the -M parameter here
2
+1 for autossh, it does what it says on the tin. I believe part of its functionality also is to send keep-alive style packets to prevent any kind of timeout.
– akent
Sep 8 '09 at 13:55
27
Could you put the example tunnel usingautossh
in the answer?
– Ehtesh Choudhury
Dec 20 '12 at 21:45
3
autossh -f -nNT -i ~/keypair.pem -R 2000:localhost:22 username@myoutsidebox.com
You might notice that I set this up using -nNT which doesn't create a remote terminal so that I can put autossh into the background, and the -i option for SSH to use a .pem file. If you're going to be keeping a connection open all the time, I definitely recommend going through the extra setup.
– juckele
Aug 31 '15 at 20:01
2
For what it's worth, it looks like it's typically better to omit the-M
parameter: bugs.debian.org/cgi-bin/bugreport.cgi?bug=351162
– rinogo
Sep 15 '15 at 22:40
1
How does that work if I have a passphrase ? would it store that passphrase in a keychain ( for example on a mac ) ?
– Yannick Y
Nov 6 '17 at 16:08
|
show 6 more comments
Sounds like you need autossh. This will monitor an ssh tunnel and restart it as needed. We've used it for a couple of years and it seems to work well.
autossh -M 20000 -f -N your_public_server -R 1234:localhost:22 -C
More details on the -M parameter here
2
+1 for autossh, it does what it says on the tin. I believe part of its functionality also is to send keep-alive style packets to prevent any kind of timeout.
– akent
Sep 8 '09 at 13:55
27
Could you put the example tunnel usingautossh
in the answer?
– Ehtesh Choudhury
Dec 20 '12 at 21:45
3
autossh -f -nNT -i ~/keypair.pem -R 2000:localhost:22 username@myoutsidebox.com
You might notice that I set this up using -nNT which doesn't create a remote terminal so that I can put autossh into the background, and the -i option for SSH to use a .pem file. If you're going to be keeping a connection open all the time, I definitely recommend going through the extra setup.
– juckele
Aug 31 '15 at 20:01
2
For what it's worth, it looks like it's typically better to omit the-M
parameter: bugs.debian.org/cgi-bin/bugreport.cgi?bug=351162
– rinogo
Sep 15 '15 at 22:40
1
How does that work if I have a passphrase ? would it store that passphrase in a keychain ( for example on a mac ) ?
– Yannick Y
Nov 6 '17 at 16:08
|
show 6 more comments
Sounds like you need autossh. This will monitor an ssh tunnel and restart it as needed. We've used it for a couple of years and it seems to work well.
autossh -M 20000 -f -N your_public_server -R 1234:localhost:22 -C
More details on the -M parameter here
Sounds like you need autossh. This will monitor an ssh tunnel and restart it as needed. We've used it for a couple of years and it seems to work well.
autossh -M 20000 -f -N your_public_server -R 1234:localhost:22 -C
More details on the -M parameter here
edited May 18 '18 at 19:39
Run5k
11.1k73152
11.1k73152
answered Sep 8 '09 at 13:43
KeithBKeithB
7,79611813
7,79611813
2
+1 for autossh, it does what it says on the tin. I believe part of its functionality also is to send keep-alive style packets to prevent any kind of timeout.
– akent
Sep 8 '09 at 13:55
27
Could you put the example tunnel usingautossh
in the answer?
– Ehtesh Choudhury
Dec 20 '12 at 21:45
3
autossh -f -nNT -i ~/keypair.pem -R 2000:localhost:22 username@myoutsidebox.com
You might notice that I set this up using -nNT which doesn't create a remote terminal so that I can put autossh into the background, and the -i option for SSH to use a .pem file. If you're going to be keeping a connection open all the time, I definitely recommend going through the extra setup.
– juckele
Aug 31 '15 at 20:01
2
For what it's worth, it looks like it's typically better to omit the-M
parameter: bugs.debian.org/cgi-bin/bugreport.cgi?bug=351162
– rinogo
Sep 15 '15 at 22:40
1
How does that work if I have a passphrase ? would it store that passphrase in a keychain ( for example on a mac ) ?
– Yannick Y
Nov 6 '17 at 16:08
|
show 6 more comments
2
+1 for autossh, it does what it says on the tin. I believe part of its functionality also is to send keep-alive style packets to prevent any kind of timeout.
– akent
Sep 8 '09 at 13:55
27
Could you put the example tunnel usingautossh
in the answer?
– Ehtesh Choudhury
Dec 20 '12 at 21:45
3
autossh -f -nNT -i ~/keypair.pem -R 2000:localhost:22 username@myoutsidebox.com
You might notice that I set this up using -nNT which doesn't create a remote terminal so that I can put autossh into the background, and the -i option for SSH to use a .pem file. If you're going to be keeping a connection open all the time, I definitely recommend going through the extra setup.
– juckele
Aug 31 '15 at 20:01
2
For what it's worth, it looks like it's typically better to omit the-M
parameter: bugs.debian.org/cgi-bin/bugreport.cgi?bug=351162
– rinogo
Sep 15 '15 at 22:40
1
How does that work if I have a passphrase ? would it store that passphrase in a keychain ( for example on a mac ) ?
– Yannick Y
Nov 6 '17 at 16:08
2
2
+1 for autossh, it does what it says on the tin. I believe part of its functionality also is to send keep-alive style packets to prevent any kind of timeout.
– akent
Sep 8 '09 at 13:55
+1 for autossh, it does what it says on the tin. I believe part of its functionality also is to send keep-alive style packets to prevent any kind of timeout.
– akent
Sep 8 '09 at 13:55
27
27
Could you put the example tunnel using
autossh
in the answer?– Ehtesh Choudhury
Dec 20 '12 at 21:45
Could you put the example tunnel using
autossh
in the answer?– Ehtesh Choudhury
Dec 20 '12 at 21:45
3
3
autossh -f -nNT -i ~/keypair.pem -R 2000:localhost:22 username@myoutsidebox.com
You might notice that I set this up using -nNT which doesn't create a remote terminal so that I can put autossh into the background, and the -i option for SSH to use a .pem file. If you're going to be keeping a connection open all the time, I definitely recommend going through the extra setup.– juckele
Aug 31 '15 at 20:01
autossh -f -nNT -i ~/keypair.pem -R 2000:localhost:22 username@myoutsidebox.com
You might notice that I set this up using -nNT which doesn't create a remote terminal so that I can put autossh into the background, and the -i option for SSH to use a .pem file. If you're going to be keeping a connection open all the time, I definitely recommend going through the extra setup.– juckele
Aug 31 '15 at 20:01
2
2
For what it's worth, it looks like it's typically better to omit the
-M
parameter: bugs.debian.org/cgi-bin/bugreport.cgi?bug=351162– rinogo
Sep 15 '15 at 22:40
For what it's worth, it looks like it's typically better to omit the
-M
parameter: bugs.debian.org/cgi-bin/bugreport.cgi?bug=351162– rinogo
Sep 15 '15 at 22:40
1
1
How does that work if I have a passphrase ? would it store that passphrase in a keychain ( for example on a mac ) ?
– Yannick Y
Nov 6 '17 at 16:08
How does that work if I have a passphrase ? would it store that passphrase in a keychain ( for example on a mac ) ?
– Yannick Y
Nov 6 '17 at 16:08
|
show 6 more comments
All stateful firewalls forget about a connection after not seeing a packet for that connection for some time (to prevent the state tables from becoming full of connections where both ends died without closing the connection). Most TCP implementations will send a keepalive packet after a long time without hearing from the other side (2 hours is a common value). If, however, there is a stateful firewall which forgets about the connection before the keepalive packets can be sent, a long-lived but idle connection will die.
If that is the case, the solution is to prevent the connection from becoming idle. OpenSSH has an option called ServerAliveInterval which can be used to prevent the connection from being idle for too long (as a bonus, it will detect when the peer died sooner even if the connection is idle).
The interval specified is in seconds, so you can provide some fine tuning. If your stateful firewall has a 5 minute idle timeout, then 60 or 120 seconds is enough to keep the connection open. It's one of the ways I keep my ssh sessions through my home router open.
– Darren Hall
Dec 2 '09 at 21:16
Thanks, this helped. But note (from a lower-ranked answer here, superuser.com/a/146641/115515) that if you specify ServerAliveInterval and not ServerAliveCountMax, you may find ssh intentionally disconnecting sooner than you wanted.
– metamatt
Jan 26 '12 at 21:54
4
@metamatt, that lower-ranked answer you reference is lower-ranked for good reason: IT IS WRONG.
– Lambart
Feb 20 '14 at 0:14
add a comment |
All stateful firewalls forget about a connection after not seeing a packet for that connection for some time (to prevent the state tables from becoming full of connections where both ends died without closing the connection). Most TCP implementations will send a keepalive packet after a long time without hearing from the other side (2 hours is a common value). If, however, there is a stateful firewall which forgets about the connection before the keepalive packets can be sent, a long-lived but idle connection will die.
If that is the case, the solution is to prevent the connection from becoming idle. OpenSSH has an option called ServerAliveInterval which can be used to prevent the connection from being idle for too long (as a bonus, it will detect when the peer died sooner even if the connection is idle).
The interval specified is in seconds, so you can provide some fine tuning. If your stateful firewall has a 5 minute idle timeout, then 60 or 120 seconds is enough to keep the connection open. It's one of the ways I keep my ssh sessions through my home router open.
– Darren Hall
Dec 2 '09 at 21:16
Thanks, this helped. But note (from a lower-ranked answer here, superuser.com/a/146641/115515) that if you specify ServerAliveInterval and not ServerAliveCountMax, you may find ssh intentionally disconnecting sooner than you wanted.
– metamatt
Jan 26 '12 at 21:54
4
@metamatt, that lower-ranked answer you reference is lower-ranked for good reason: IT IS WRONG.
– Lambart
Feb 20 '14 at 0:14
add a comment |
All stateful firewalls forget about a connection after not seeing a packet for that connection for some time (to prevent the state tables from becoming full of connections where both ends died without closing the connection). Most TCP implementations will send a keepalive packet after a long time without hearing from the other side (2 hours is a common value). If, however, there is a stateful firewall which forgets about the connection before the keepalive packets can be sent, a long-lived but idle connection will die.
If that is the case, the solution is to prevent the connection from becoming idle. OpenSSH has an option called ServerAliveInterval which can be used to prevent the connection from being idle for too long (as a bonus, it will detect when the peer died sooner even if the connection is idle).
All stateful firewalls forget about a connection after not seeing a packet for that connection for some time (to prevent the state tables from becoming full of connections where both ends died without closing the connection). Most TCP implementations will send a keepalive packet after a long time without hearing from the other side (2 hours is a common value). If, however, there is a stateful firewall which forgets about the connection before the keepalive packets can be sent, a long-lived but idle connection will die.
If that is the case, the solution is to prevent the connection from becoming idle. OpenSSH has an option called ServerAliveInterval which can be used to prevent the connection from being idle for too long (as a bonus, it will detect when the peer died sooner even if the connection is idle).
edited Jan 25 at 2:32
Xilexio
1033
1033
answered Sep 28 '09 at 13:47
CesarBCesarB
3,98512222
3,98512222
The interval specified is in seconds, so you can provide some fine tuning. If your stateful firewall has a 5 minute idle timeout, then 60 or 120 seconds is enough to keep the connection open. It's one of the ways I keep my ssh sessions through my home router open.
– Darren Hall
Dec 2 '09 at 21:16
Thanks, this helped. But note (from a lower-ranked answer here, superuser.com/a/146641/115515) that if you specify ServerAliveInterval and not ServerAliveCountMax, you may find ssh intentionally disconnecting sooner than you wanted.
– metamatt
Jan 26 '12 at 21:54
4
@metamatt, that lower-ranked answer you reference is lower-ranked for good reason: IT IS WRONG.
– Lambart
Feb 20 '14 at 0:14
add a comment |
The interval specified is in seconds, so you can provide some fine tuning. If your stateful firewall has a 5 minute idle timeout, then 60 or 120 seconds is enough to keep the connection open. It's one of the ways I keep my ssh sessions through my home router open.
– Darren Hall
Dec 2 '09 at 21:16
Thanks, this helped. But note (from a lower-ranked answer here, superuser.com/a/146641/115515) that if you specify ServerAliveInterval and not ServerAliveCountMax, you may find ssh intentionally disconnecting sooner than you wanted.
– metamatt
Jan 26 '12 at 21:54
4
@metamatt, that lower-ranked answer you reference is lower-ranked for good reason: IT IS WRONG.
– Lambart
Feb 20 '14 at 0:14
The interval specified is in seconds, so you can provide some fine tuning. If your stateful firewall has a 5 minute idle timeout, then 60 or 120 seconds is enough to keep the connection open. It's one of the ways I keep my ssh sessions through my home router open.
– Darren Hall
Dec 2 '09 at 21:16
The interval specified is in seconds, so you can provide some fine tuning. If your stateful firewall has a 5 minute idle timeout, then 60 or 120 seconds is enough to keep the connection open. It's one of the ways I keep my ssh sessions through my home router open.
– Darren Hall
Dec 2 '09 at 21:16
Thanks, this helped. But note (from a lower-ranked answer here, superuser.com/a/146641/115515) that if you specify ServerAliveInterval and not ServerAliveCountMax, you may find ssh intentionally disconnecting sooner than you wanted.
– metamatt
Jan 26 '12 at 21:54
Thanks, this helped. But note (from a lower-ranked answer here, superuser.com/a/146641/115515) that if you specify ServerAliveInterval and not ServerAliveCountMax, you may find ssh intentionally disconnecting sooner than you wanted.
– metamatt
Jan 26 '12 at 21:54
4
4
@metamatt, that lower-ranked answer you reference is lower-ranked for good reason: IT IS WRONG.
– Lambart
Feb 20 '14 at 0:14
@metamatt, that lower-ranked answer you reference is lower-ranked for good reason: IT IS WRONG.
– Lambart
Feb 20 '14 at 0:14
add a comment |
On your own mac or linux machine configure your ssh keep the server ssh alive every 3 minutes. Open a terminal and go your your invisible .ssh in your home:
cd ~/.ssh/
then create a 1 line config file with:
echo "ServerAliveInterval 180" >> config
you should also add:
ServerAliveCountMax xxxx (high number)
the default is 3 so ServerAliveInterval 180 will stop sending after 9 minutes (3 of the 3-minute interval specified by ServerAliveInterval).
2
Note that your command is not recommended if you already have a config file. Using >> for redirection would be a lot better!
– Peltier
Mar 18 '11 at 9:34
why doesServerAliveInterval 180
give us 6 minutes? intuition makes me try this :180/60 == 3
. So, doesServerAliveInterval
work in multiples of 30 secs?
– nemesisfixx
Nov 30 '11 at 14:37
@mcnemesis: ServerAliveInterval 180 means 3 minutes. ServerAliveCountMax default of 3 means 3 of those intervals, so 9 minutes.
– metamatt
Jan 26 '12 at 21:50
1
I'm voting this answer up because thanks for mentioning ServerAliveCountMax, and what happens if you specify ServerAliveInterval without ServerAliveCountMax. But like the preceding comments, I notice the calculation on "will stop sending after" is wrong, and I think this answer would serve better if it just gave the information on these options, not telling us how to apply them with cd and echo commands.
– metamatt
Jan 26 '12 at 21:51
16
Downvoting because it makes no sense to set ServerAliveCountMax to a "high number". ServerAliveCountMax specifies how many times it will try to send the "keepalive" message before giving up. The default is 3, so with ServerAliveInterval 180, it will stop sending ONLY if the server has NOT RESPONDED after 9 minutes, in which case your connection is probably well and truly dead.
– Lambart
Feb 20 '14 at 0:13
add a comment |
On your own mac or linux machine configure your ssh keep the server ssh alive every 3 minutes. Open a terminal and go your your invisible .ssh in your home:
cd ~/.ssh/
then create a 1 line config file with:
echo "ServerAliveInterval 180" >> config
you should also add:
ServerAliveCountMax xxxx (high number)
the default is 3 so ServerAliveInterval 180 will stop sending after 9 minutes (3 of the 3-minute interval specified by ServerAliveInterval).
2
Note that your command is not recommended if you already have a config file. Using >> for redirection would be a lot better!
– Peltier
Mar 18 '11 at 9:34
why doesServerAliveInterval 180
give us 6 minutes? intuition makes me try this :180/60 == 3
. So, doesServerAliveInterval
work in multiples of 30 secs?
– nemesisfixx
Nov 30 '11 at 14:37
@mcnemesis: ServerAliveInterval 180 means 3 minutes. ServerAliveCountMax default of 3 means 3 of those intervals, so 9 minutes.
– metamatt
Jan 26 '12 at 21:50
1
I'm voting this answer up because thanks for mentioning ServerAliveCountMax, and what happens if you specify ServerAliveInterval without ServerAliveCountMax. But like the preceding comments, I notice the calculation on "will stop sending after" is wrong, and I think this answer would serve better if it just gave the information on these options, not telling us how to apply them with cd and echo commands.
– metamatt
Jan 26 '12 at 21:51
16
Downvoting because it makes no sense to set ServerAliveCountMax to a "high number". ServerAliveCountMax specifies how many times it will try to send the "keepalive" message before giving up. The default is 3, so with ServerAliveInterval 180, it will stop sending ONLY if the server has NOT RESPONDED after 9 minutes, in which case your connection is probably well and truly dead.
– Lambart
Feb 20 '14 at 0:13
add a comment |
On your own mac or linux machine configure your ssh keep the server ssh alive every 3 minutes. Open a terminal and go your your invisible .ssh in your home:
cd ~/.ssh/
then create a 1 line config file with:
echo "ServerAliveInterval 180" >> config
you should also add:
ServerAliveCountMax xxxx (high number)
the default is 3 so ServerAliveInterval 180 will stop sending after 9 minutes (3 of the 3-minute interval specified by ServerAliveInterval).
On your own mac or linux machine configure your ssh keep the server ssh alive every 3 minutes. Open a terminal and go your your invisible .ssh in your home:
cd ~/.ssh/
then create a 1 line config file with:
echo "ServerAliveInterval 180" >> config
you should also add:
ServerAliveCountMax xxxx (high number)
the default is 3 so ServerAliveInterval 180 will stop sending after 9 minutes (3 of the 3-minute interval specified by ServerAliveInterval).
edited Jan 26 '12 at 21:55
metamatt
1035
1035
answered May 29 '10 at 13:45
David ShawDavid Shaw
25522
25522
2
Note that your command is not recommended if you already have a config file. Using >> for redirection would be a lot better!
– Peltier
Mar 18 '11 at 9:34
why doesServerAliveInterval 180
give us 6 minutes? intuition makes me try this :180/60 == 3
. So, doesServerAliveInterval
work in multiples of 30 secs?
– nemesisfixx
Nov 30 '11 at 14:37
@mcnemesis: ServerAliveInterval 180 means 3 minutes. ServerAliveCountMax default of 3 means 3 of those intervals, so 9 minutes.
– metamatt
Jan 26 '12 at 21:50
1
I'm voting this answer up because thanks for mentioning ServerAliveCountMax, and what happens if you specify ServerAliveInterval without ServerAliveCountMax. But like the preceding comments, I notice the calculation on "will stop sending after" is wrong, and I think this answer would serve better if it just gave the information on these options, not telling us how to apply them with cd and echo commands.
– metamatt
Jan 26 '12 at 21:51
16
Downvoting because it makes no sense to set ServerAliveCountMax to a "high number". ServerAliveCountMax specifies how many times it will try to send the "keepalive" message before giving up. The default is 3, so with ServerAliveInterval 180, it will stop sending ONLY if the server has NOT RESPONDED after 9 minutes, in which case your connection is probably well and truly dead.
– Lambart
Feb 20 '14 at 0:13
add a comment |
2
Note that your command is not recommended if you already have a config file. Using >> for redirection would be a lot better!
– Peltier
Mar 18 '11 at 9:34
why doesServerAliveInterval 180
give us 6 minutes? intuition makes me try this :180/60 == 3
. So, doesServerAliveInterval
work in multiples of 30 secs?
– nemesisfixx
Nov 30 '11 at 14:37
@mcnemesis: ServerAliveInterval 180 means 3 minutes. ServerAliveCountMax default of 3 means 3 of those intervals, so 9 minutes.
– metamatt
Jan 26 '12 at 21:50
1
I'm voting this answer up because thanks for mentioning ServerAliveCountMax, and what happens if you specify ServerAliveInterval without ServerAliveCountMax. But like the preceding comments, I notice the calculation on "will stop sending after" is wrong, and I think this answer would serve better if it just gave the information on these options, not telling us how to apply them with cd and echo commands.
– metamatt
Jan 26 '12 at 21:51
16
Downvoting because it makes no sense to set ServerAliveCountMax to a "high number". ServerAliveCountMax specifies how many times it will try to send the "keepalive" message before giving up. The default is 3, so with ServerAliveInterval 180, it will stop sending ONLY if the server has NOT RESPONDED after 9 minutes, in which case your connection is probably well and truly dead.
– Lambart
Feb 20 '14 at 0:13
2
2
Note that your command is not recommended if you already have a config file. Using >> for redirection would be a lot better!
– Peltier
Mar 18 '11 at 9:34
Note that your command is not recommended if you already have a config file. Using >> for redirection would be a lot better!
– Peltier
Mar 18 '11 at 9:34
why does
ServerAliveInterval 180
give us 6 minutes? intuition makes me try this : 180/60 == 3
. So, does ServerAliveInterval
work in multiples of 30 secs?– nemesisfixx
Nov 30 '11 at 14:37
why does
ServerAliveInterval 180
give us 6 minutes? intuition makes me try this : 180/60 == 3
. So, does ServerAliveInterval
work in multiples of 30 secs?– nemesisfixx
Nov 30 '11 at 14:37
@mcnemesis: ServerAliveInterval 180 means 3 minutes. ServerAliveCountMax default of 3 means 3 of those intervals, so 9 minutes.
– metamatt
Jan 26 '12 at 21:50
@mcnemesis: ServerAliveInterval 180 means 3 minutes. ServerAliveCountMax default of 3 means 3 of those intervals, so 9 minutes.
– metamatt
Jan 26 '12 at 21:50
1
1
I'm voting this answer up because thanks for mentioning ServerAliveCountMax, and what happens if you specify ServerAliveInterval without ServerAliveCountMax. But like the preceding comments, I notice the calculation on "will stop sending after" is wrong, and I think this answer would serve better if it just gave the information on these options, not telling us how to apply them with cd and echo commands.
– metamatt
Jan 26 '12 at 21:51
I'm voting this answer up because thanks for mentioning ServerAliveCountMax, and what happens if you specify ServerAliveInterval without ServerAliveCountMax. But like the preceding comments, I notice the calculation on "will stop sending after" is wrong, and I think this answer would serve better if it just gave the information on these options, not telling us how to apply them with cd and echo commands.
– metamatt
Jan 26 '12 at 21:51
16
16
Downvoting because it makes no sense to set ServerAliveCountMax to a "high number". ServerAliveCountMax specifies how many times it will try to send the "keepalive" message before giving up. The default is 3, so with ServerAliveInterval 180, it will stop sending ONLY if the server has NOT RESPONDED after 9 minutes, in which case your connection is probably well and truly dead.
– Lambart
Feb 20 '14 at 0:13
Downvoting because it makes no sense to set ServerAliveCountMax to a "high number". ServerAliveCountMax specifies how many times it will try to send the "keepalive" message before giving up. The default is 3, so with ServerAliveInterval 180, it will stop sending ONLY if the server has NOT RESPONDED after 9 minutes, in which case your connection is probably well and truly dead.
– Lambart
Feb 20 '14 at 0:13
add a comment |
I've used the following Bash script to keep spawning new ssh tunnels when the previous one dies. Using a script is handy when you don't want or can't install additional packages or use compiler.
while true
do
ssh <ssh_options> [user@]hostname
sleep 15
done
Note that this requires a keyfile to establish the connection automatically but that is the case with autossh, too.
1
You should add any reasons that you'd use this script over autossh, or is it just that it's easier this way?
– kyrias
Oct 20 '12 at 17:25
4
This wouldn't help if ssh itself freezes, would it?
– nafg
Nov 25 '13 at 23:59
1
It helps if you can't install things in the server. autossh doesn't come preinstalled and bureucracy it's sometimes very obtuse.
– quarkex
Mar 13 '17 at 15:13
Yes, preferable not to have to install things. I've been doing it this way for a year as my only way to keep a remote machine accessible (even set crontab to run it upon reboot). It's never failed, and more importantly, I know why it will never fail.
– sudo
Apr 2 '18 at 6:42
add a comment |
I've used the following Bash script to keep spawning new ssh tunnels when the previous one dies. Using a script is handy when you don't want or can't install additional packages or use compiler.
while true
do
ssh <ssh_options> [user@]hostname
sleep 15
done
Note that this requires a keyfile to establish the connection automatically but that is the case with autossh, too.
1
You should add any reasons that you'd use this script over autossh, or is it just that it's easier this way?
– kyrias
Oct 20 '12 at 17:25
4
This wouldn't help if ssh itself freezes, would it?
– nafg
Nov 25 '13 at 23:59
1
It helps if you can't install things in the server. autossh doesn't come preinstalled and bureucracy it's sometimes very obtuse.
– quarkex
Mar 13 '17 at 15:13
Yes, preferable not to have to install things. I've been doing it this way for a year as my only way to keep a remote machine accessible (even set crontab to run it upon reboot). It's never failed, and more importantly, I know why it will never fail.
– sudo
Apr 2 '18 at 6:42
add a comment |
I've used the following Bash script to keep spawning new ssh tunnels when the previous one dies. Using a script is handy when you don't want or can't install additional packages or use compiler.
while true
do
ssh <ssh_options> [user@]hostname
sleep 15
done
Note that this requires a keyfile to establish the connection automatically but that is the case with autossh, too.
I've used the following Bash script to keep spawning new ssh tunnels when the previous one dies. Using a script is handy when you don't want or can't install additional packages or use compiler.
while true
do
ssh <ssh_options> [user@]hostname
sleep 15
done
Note that this requires a keyfile to establish the connection automatically but that is the case with autossh, too.
answered Sep 22 '09 at 14:58
JawaJawa
3,15982435
3,15982435
1
You should add any reasons that you'd use this script over autossh, or is it just that it's easier this way?
– kyrias
Oct 20 '12 at 17:25
4
This wouldn't help if ssh itself freezes, would it?
– nafg
Nov 25 '13 at 23:59
1
It helps if you can't install things in the server. autossh doesn't come preinstalled and bureucracy it's sometimes very obtuse.
– quarkex
Mar 13 '17 at 15:13
Yes, preferable not to have to install things. I've been doing it this way for a year as my only way to keep a remote machine accessible (even set crontab to run it upon reboot). It's never failed, and more importantly, I know why it will never fail.
– sudo
Apr 2 '18 at 6:42
add a comment |
1
You should add any reasons that you'd use this script over autossh, or is it just that it's easier this way?
– kyrias
Oct 20 '12 at 17:25
4
This wouldn't help if ssh itself freezes, would it?
– nafg
Nov 25 '13 at 23:59
1
It helps if you can't install things in the server. autossh doesn't come preinstalled and bureucracy it's sometimes very obtuse.
– quarkex
Mar 13 '17 at 15:13
Yes, preferable not to have to install things. I've been doing it this way for a year as my only way to keep a remote machine accessible (even set crontab to run it upon reboot). It's never failed, and more importantly, I know why it will never fail.
– sudo
Apr 2 '18 at 6:42
1
1
You should add any reasons that you'd use this script over autossh, or is it just that it's easier this way?
– kyrias
Oct 20 '12 at 17:25
You should add any reasons that you'd use this script over autossh, or is it just that it's easier this way?
– kyrias
Oct 20 '12 at 17:25
4
4
This wouldn't help if ssh itself freezes, would it?
– nafg
Nov 25 '13 at 23:59
This wouldn't help if ssh itself freezes, would it?
– nafg
Nov 25 '13 at 23:59
1
1
It helps if you can't install things in the server. autossh doesn't come preinstalled and bureucracy it's sometimes very obtuse.
– quarkex
Mar 13 '17 at 15:13
It helps if you can't install things in the server. autossh doesn't come preinstalled and bureucracy it's sometimes very obtuse.
– quarkex
Mar 13 '17 at 15:13
Yes, preferable not to have to install things. I've been doing it this way for a year as my only way to keep a remote machine accessible (even set crontab to run it upon reboot). It's never failed, and more importantly, I know why it will never fail.
– sudo
Apr 2 '18 at 6:42
Yes, preferable not to have to install things. I've been doing it this way for a year as my only way to keep a remote machine accessible (even set crontab to run it upon reboot). It's never failed, and more importantly, I know why it will never fail.
– sudo
Apr 2 '18 at 6:42
add a comment |
Systemd is ideally suited for this.
Create a service file /etc/systemd/system/sshtunnel.service
containing:
[Unit]
Description=SSH Tunnel
After=network.target
[Service]
Restart=always
RestartSec=20
User=sshtunnel
ExecStart=/bin/ssh -NT -o ServerAliveInterval=60 -L 5900:localhost:5900 user@otherserver
[Install]
WantedBy=multi-user.target
(Modify the ssh command to suit)
- this will run as user
sshtunnel
so make sure that user exists first - issue
systemctl enable sshtunnel
to set it to start at boot time - issue
systemctl start sshtunnel
to start immediately
Update Jan 2018: some distros (e.g. Fedora 27) may use SELinux policy to prevent the use of SSH from systemd init, in which case a custom policy will need to be created to provide the necessary exemptions.
2
This looks very similar to my gist: gist.github.com/guettli/… Feedback is welcome!
– guettli
Dec 22 '17 at 11:47
Excellent for asystemd
system. If one usesRestart=on-failure
then manually killing the SSH client will not result in a restart-by-systemd as the SSH client with exit with success.
– David Tonhofer
Mar 22 '18 at 19:36
If you want to start ssh from a (bash) script given as argument toExecStart
for example to build thessh
argument list, do basic checks etc then call it from the script like soexec /bin/ssh -N ...
. Here is my command:exec /bin/ssh -N -oExitOnForwardFailure=Yes -oTCPKeepAlive=no -oServerAliveInterval=5 -oServerAliveCountMax=6 -i "${LOCAL_PRIVATE_KEY}" -L "${TUNNEL_INLET}:${TUNNEL_OUTLET}" "${REMOTE_USER}@${REMOTE_MACHINE}"
whereTUNNEL_INLET="127.0.0.1:3307"
andTUNNEL_OUTLET="127.0.0.1:3306"
– David Tonhofer
Mar 22 '18 at 19:42
add a comment |
Systemd is ideally suited for this.
Create a service file /etc/systemd/system/sshtunnel.service
containing:
[Unit]
Description=SSH Tunnel
After=network.target
[Service]
Restart=always
RestartSec=20
User=sshtunnel
ExecStart=/bin/ssh -NT -o ServerAliveInterval=60 -L 5900:localhost:5900 user@otherserver
[Install]
WantedBy=multi-user.target
(Modify the ssh command to suit)
- this will run as user
sshtunnel
so make sure that user exists first - issue
systemctl enable sshtunnel
to set it to start at boot time - issue
systemctl start sshtunnel
to start immediately
Update Jan 2018: some distros (e.g. Fedora 27) may use SELinux policy to prevent the use of SSH from systemd init, in which case a custom policy will need to be created to provide the necessary exemptions.
2
This looks very similar to my gist: gist.github.com/guettli/… Feedback is welcome!
– guettli
Dec 22 '17 at 11:47
Excellent for asystemd
system. If one usesRestart=on-failure
then manually killing the SSH client will not result in a restart-by-systemd as the SSH client with exit with success.
– David Tonhofer
Mar 22 '18 at 19:36
If you want to start ssh from a (bash) script given as argument toExecStart
for example to build thessh
argument list, do basic checks etc then call it from the script like soexec /bin/ssh -N ...
. Here is my command:exec /bin/ssh -N -oExitOnForwardFailure=Yes -oTCPKeepAlive=no -oServerAliveInterval=5 -oServerAliveCountMax=6 -i "${LOCAL_PRIVATE_KEY}" -L "${TUNNEL_INLET}:${TUNNEL_OUTLET}" "${REMOTE_USER}@${REMOTE_MACHINE}"
whereTUNNEL_INLET="127.0.0.1:3307"
andTUNNEL_OUTLET="127.0.0.1:3306"
– David Tonhofer
Mar 22 '18 at 19:42
add a comment |
Systemd is ideally suited for this.
Create a service file /etc/systemd/system/sshtunnel.service
containing:
[Unit]
Description=SSH Tunnel
After=network.target
[Service]
Restart=always
RestartSec=20
User=sshtunnel
ExecStart=/bin/ssh -NT -o ServerAliveInterval=60 -L 5900:localhost:5900 user@otherserver
[Install]
WantedBy=multi-user.target
(Modify the ssh command to suit)
- this will run as user
sshtunnel
so make sure that user exists first - issue
systemctl enable sshtunnel
to set it to start at boot time - issue
systemctl start sshtunnel
to start immediately
Update Jan 2018: some distros (e.g. Fedora 27) may use SELinux policy to prevent the use of SSH from systemd init, in which case a custom policy will need to be created to provide the necessary exemptions.
Systemd is ideally suited for this.
Create a service file /etc/systemd/system/sshtunnel.service
containing:
[Unit]
Description=SSH Tunnel
After=network.target
[Service]
Restart=always
RestartSec=20
User=sshtunnel
ExecStart=/bin/ssh -NT -o ServerAliveInterval=60 -L 5900:localhost:5900 user@otherserver
[Install]
WantedBy=multi-user.target
(Modify the ssh command to suit)
- this will run as user
sshtunnel
so make sure that user exists first - issue
systemctl enable sshtunnel
to set it to start at boot time - issue
systemctl start sshtunnel
to start immediately
Update Jan 2018: some distros (e.g. Fedora 27) may use SELinux policy to prevent the use of SSH from systemd init, in which case a custom policy will need to be created to provide the necessary exemptions.
edited Jan 14 '18 at 3:39
answered Jul 28 '16 at 6:10
IanBIanB
28528
28528
2
This looks very similar to my gist: gist.github.com/guettli/… Feedback is welcome!
– guettli
Dec 22 '17 at 11:47
Excellent for asystemd
system. If one usesRestart=on-failure
then manually killing the SSH client will not result in a restart-by-systemd as the SSH client with exit with success.
– David Tonhofer
Mar 22 '18 at 19:36
If you want to start ssh from a (bash) script given as argument toExecStart
for example to build thessh
argument list, do basic checks etc then call it from the script like soexec /bin/ssh -N ...
. Here is my command:exec /bin/ssh -N -oExitOnForwardFailure=Yes -oTCPKeepAlive=no -oServerAliveInterval=5 -oServerAliveCountMax=6 -i "${LOCAL_PRIVATE_KEY}" -L "${TUNNEL_INLET}:${TUNNEL_OUTLET}" "${REMOTE_USER}@${REMOTE_MACHINE}"
whereTUNNEL_INLET="127.0.0.1:3307"
andTUNNEL_OUTLET="127.0.0.1:3306"
– David Tonhofer
Mar 22 '18 at 19:42
add a comment |
2
This looks very similar to my gist: gist.github.com/guettli/… Feedback is welcome!
– guettli
Dec 22 '17 at 11:47
Excellent for asystemd
system. If one usesRestart=on-failure
then manually killing the SSH client will not result in a restart-by-systemd as the SSH client with exit with success.
– David Tonhofer
Mar 22 '18 at 19:36
If you want to start ssh from a (bash) script given as argument toExecStart
for example to build thessh
argument list, do basic checks etc then call it from the script like soexec /bin/ssh -N ...
. Here is my command:exec /bin/ssh -N -oExitOnForwardFailure=Yes -oTCPKeepAlive=no -oServerAliveInterval=5 -oServerAliveCountMax=6 -i "${LOCAL_PRIVATE_KEY}" -L "${TUNNEL_INLET}:${TUNNEL_OUTLET}" "${REMOTE_USER}@${REMOTE_MACHINE}"
whereTUNNEL_INLET="127.0.0.1:3307"
andTUNNEL_OUTLET="127.0.0.1:3306"
– David Tonhofer
Mar 22 '18 at 19:42
2
2
This looks very similar to my gist: gist.github.com/guettli/… Feedback is welcome!
– guettli
Dec 22 '17 at 11:47
This looks very similar to my gist: gist.github.com/guettli/… Feedback is welcome!
– guettli
Dec 22 '17 at 11:47
Excellent for a
systemd
system. If one uses Restart=on-failure
then manually killing the SSH client will not result in a restart-by-systemd as the SSH client with exit with success.– David Tonhofer
Mar 22 '18 at 19:36
Excellent for a
systemd
system. If one uses Restart=on-failure
then manually killing the SSH client will not result in a restart-by-systemd as the SSH client with exit with success.– David Tonhofer
Mar 22 '18 at 19:36
If you want to start ssh from a (bash) script given as argument to
ExecStart
for example to build the ssh
argument list, do basic checks etc then call it from the script like so exec /bin/ssh -N ...
. Here is my command: exec /bin/ssh -N -oExitOnForwardFailure=Yes -oTCPKeepAlive=no -oServerAliveInterval=5 -oServerAliveCountMax=6 -i "${LOCAL_PRIVATE_KEY}" -L "${TUNNEL_INLET}:${TUNNEL_OUTLET}" "${REMOTE_USER}@${REMOTE_MACHINE}"
where TUNNEL_INLET="127.0.0.1:3307"
and TUNNEL_OUTLET="127.0.0.1:3306"
– David Tonhofer
Mar 22 '18 at 19:42
If you want to start ssh from a (bash) script given as argument to
ExecStart
for example to build the ssh
argument list, do basic checks etc then call it from the script like so exec /bin/ssh -N ...
. Here is my command: exec /bin/ssh -N -oExitOnForwardFailure=Yes -oTCPKeepAlive=no -oServerAliveInterval=5 -oServerAliveCountMax=6 -i "${LOCAL_PRIVATE_KEY}" -L "${TUNNEL_INLET}:${TUNNEL_OUTLET}" "${REMOTE_USER}@${REMOTE_MACHINE}"
where TUNNEL_INLET="127.0.0.1:3307"
and TUNNEL_OUTLET="127.0.0.1:3306"
– David Tonhofer
Mar 22 '18 at 19:42
add a comment |
It sure looks to me that you're all misinterpreting ServerAliveCountMax. As I understand the docs, it is the number of server alive messages which can go unanswered without the connection being terminated. So in cases like we're discussing here, setting it to a high value will just ensure that a hung connection will not be detected and terminated!
Simply setting ServerAliveInterval should be sufficient to solve the problem with a firewall forgetting about the connection, and leaving ServerAliveCountMax low will allow the originating end to notice the failure and terminate if the connection fails anyway.
What you want is, 1) for the connection to stay open permanently under normal circumstances, 2) for connection failure to be detected and the originating side to exit on failure, and 3) for the ssh command to be re-issued every time it exits (how you do that is very platform dependent, the "while true" script suggested by Jawa is one way, on OS X I actually set up a launchd item).
add a comment |
It sure looks to me that you're all misinterpreting ServerAliveCountMax. As I understand the docs, it is the number of server alive messages which can go unanswered without the connection being terminated. So in cases like we're discussing here, setting it to a high value will just ensure that a hung connection will not be detected and terminated!
Simply setting ServerAliveInterval should be sufficient to solve the problem with a firewall forgetting about the connection, and leaving ServerAliveCountMax low will allow the originating end to notice the failure and terminate if the connection fails anyway.
What you want is, 1) for the connection to stay open permanently under normal circumstances, 2) for connection failure to be detected and the originating side to exit on failure, and 3) for the ssh command to be re-issued every time it exits (how you do that is very platform dependent, the "while true" script suggested by Jawa is one way, on OS X I actually set up a launchd item).
add a comment |
It sure looks to me that you're all misinterpreting ServerAliveCountMax. As I understand the docs, it is the number of server alive messages which can go unanswered without the connection being terminated. So in cases like we're discussing here, setting it to a high value will just ensure that a hung connection will not be detected and terminated!
Simply setting ServerAliveInterval should be sufficient to solve the problem with a firewall forgetting about the connection, and leaving ServerAliveCountMax low will allow the originating end to notice the failure and terminate if the connection fails anyway.
What you want is, 1) for the connection to stay open permanently under normal circumstances, 2) for connection failure to be detected and the originating side to exit on failure, and 3) for the ssh command to be re-issued every time it exits (how you do that is very platform dependent, the "while true" script suggested by Jawa is one way, on OS X I actually set up a launchd item).
It sure looks to me that you're all misinterpreting ServerAliveCountMax. As I understand the docs, it is the number of server alive messages which can go unanswered without the connection being terminated. So in cases like we're discussing here, setting it to a high value will just ensure that a hung connection will not be detected and terminated!
Simply setting ServerAliveInterval should be sufficient to solve the problem with a firewall forgetting about the connection, and leaving ServerAliveCountMax low will allow the originating end to notice the failure and terminate if the connection fails anyway.
What you want is, 1) for the connection to stay open permanently under normal circumstances, 2) for connection failure to be detected and the originating side to exit on failure, and 3) for the ssh command to be re-issued every time it exits (how you do that is very platform dependent, the "while true" script suggested by Jawa is one way, on OS X I actually set up a launchd item).
answered Nov 28 '13 at 1:04
user2793784user2793784
9111
9111
add a comment |
add a comment |
Always use ServerAliveInterval
SSH option in case the tunnel issues are generated by expired NAT sessions.
Always use a respawning method in case the connectivity goes down entirely, you have at least three options here:
- autossh program
- bash script (
while true do ssh ...; sleep 5; done
) do not remove the sleep command,ssh
may fail quickly and you'll respawn too many processes
/etc/inittab
, to have access to a box shipped and installed in another country, behind NAT, without port forwarding to the box, you can configure it to create an ssh tunnel back to you:
tun1:2345:respawn:/usr/bin/ssh -i /path/to/rsaKey -f -N -o "ServerAliveInterval 180" -R 55002:localhost:22 user@publicip 'sleep 365d'
upstart script on Ubuntu, where
/etc/inittab
is not available:
start on net-device-up IFACE=eth0
stop on runlevel [01S6]
respawn
respawn limit 180 900
exec ssh -i /path/to/rsaKey -N -o "ServerAliveInterval 180" -R 55002:localhost:22 user@publicip
post-stop script
sleep 5
end script
or always use both methods.
1
+1 for inline option in case you don't want it for all of your SSH connections
– user1146334
Jul 7 '14 at 14:29
You write "in case connectivity goes down entirely". Now I don't understand, what problems does autossh fix itself, and what does it not? I thought, of course, it would take care of any broken connection, like unplugging the cable for a few hours, but perhaps not?
– Mads Skjern
May 12 '16 at 19:02
add a comment |
Always use ServerAliveInterval
SSH option in case the tunnel issues are generated by expired NAT sessions.
Always use a respawning method in case the connectivity goes down entirely, you have at least three options here:
- autossh program
- bash script (
while true do ssh ...; sleep 5; done
) do not remove the sleep command,ssh
may fail quickly and you'll respawn too many processes
/etc/inittab
, to have access to a box shipped and installed in another country, behind NAT, without port forwarding to the box, you can configure it to create an ssh tunnel back to you:
tun1:2345:respawn:/usr/bin/ssh -i /path/to/rsaKey -f -N -o "ServerAliveInterval 180" -R 55002:localhost:22 user@publicip 'sleep 365d'
upstart script on Ubuntu, where
/etc/inittab
is not available:
start on net-device-up IFACE=eth0
stop on runlevel [01S6]
respawn
respawn limit 180 900
exec ssh -i /path/to/rsaKey -N -o "ServerAliveInterval 180" -R 55002:localhost:22 user@publicip
post-stop script
sleep 5
end script
or always use both methods.
1
+1 for inline option in case you don't want it for all of your SSH connections
– user1146334
Jul 7 '14 at 14:29
You write "in case connectivity goes down entirely". Now I don't understand, what problems does autossh fix itself, and what does it not? I thought, of course, it would take care of any broken connection, like unplugging the cable for a few hours, but perhaps not?
– Mads Skjern
May 12 '16 at 19:02
add a comment |
Always use ServerAliveInterval
SSH option in case the tunnel issues are generated by expired NAT sessions.
Always use a respawning method in case the connectivity goes down entirely, you have at least three options here:
- autossh program
- bash script (
while true do ssh ...; sleep 5; done
) do not remove the sleep command,ssh
may fail quickly and you'll respawn too many processes
/etc/inittab
, to have access to a box shipped and installed in another country, behind NAT, without port forwarding to the box, you can configure it to create an ssh tunnel back to you:
tun1:2345:respawn:/usr/bin/ssh -i /path/to/rsaKey -f -N -o "ServerAliveInterval 180" -R 55002:localhost:22 user@publicip 'sleep 365d'
upstart script on Ubuntu, where
/etc/inittab
is not available:
start on net-device-up IFACE=eth0
stop on runlevel [01S6]
respawn
respawn limit 180 900
exec ssh -i /path/to/rsaKey -N -o "ServerAliveInterval 180" -R 55002:localhost:22 user@publicip
post-stop script
sleep 5
end script
or always use both methods.
Always use ServerAliveInterval
SSH option in case the tunnel issues are generated by expired NAT sessions.
Always use a respawning method in case the connectivity goes down entirely, you have at least three options here:
- autossh program
- bash script (
while true do ssh ...; sleep 5; done
) do not remove the sleep command,ssh
may fail quickly and you'll respawn too many processes
/etc/inittab
, to have access to a box shipped and installed in another country, behind NAT, without port forwarding to the box, you can configure it to create an ssh tunnel back to you:
tun1:2345:respawn:/usr/bin/ssh -i /path/to/rsaKey -f -N -o "ServerAliveInterval 180" -R 55002:localhost:22 user@publicip 'sleep 365d'
upstart script on Ubuntu, where
/etc/inittab
is not available:
start on net-device-up IFACE=eth0
stop on runlevel [01S6]
respawn
respawn limit 180 900
exec ssh -i /path/to/rsaKey -N -o "ServerAliveInterval 180" -R 55002:localhost:22 user@publicip
post-stop script
sleep 5
end script
or always use both methods.
edited Apr 18 '15 at 1:03
Roger Dueck
1033
1033
answered Mar 8 '14 at 21:30
claudiufclaudiuf
32122
32122
1
+1 for inline option in case you don't want it for all of your SSH connections
– user1146334
Jul 7 '14 at 14:29
You write "in case connectivity goes down entirely". Now I don't understand, what problems does autossh fix itself, and what does it not? I thought, of course, it would take care of any broken connection, like unplugging the cable for a few hours, but perhaps not?
– Mads Skjern
May 12 '16 at 19:02
add a comment |
1
+1 for inline option in case you don't want it for all of your SSH connections
– user1146334
Jul 7 '14 at 14:29
You write "in case connectivity goes down entirely". Now I don't understand, what problems does autossh fix itself, and what does it not? I thought, of course, it would take care of any broken connection, like unplugging the cable for a few hours, but perhaps not?
– Mads Skjern
May 12 '16 at 19:02
1
1
+1 for inline option in case you don't want it for all of your SSH connections
– user1146334
Jul 7 '14 at 14:29
+1 for inline option in case you don't want it for all of your SSH connections
– user1146334
Jul 7 '14 at 14:29
You write "in case connectivity goes down entirely". Now I don't understand, what problems does autossh fix itself, and what does it not? I thought, of course, it would take care of any broken connection, like unplugging the cable for a few hours, but perhaps not?
– Mads Skjern
May 12 '16 at 19:02
You write "in case connectivity goes down entirely". Now I don't understand, what problems does autossh fix itself, and what does it not? I thought, of course, it would take care of any broken connection, like unplugging the cable for a few hours, but perhaps not?
– Mads Skjern
May 12 '16 at 19:02
add a comment |
I solved this problem with this:
Edit
~/.ssh/config
And add
ServerAliveInterval 15
ServerAliveCountMax 4
According to man page for ssh_config:
ServerAliveCountMax
Sets the number of server alive messages (see below) which may be
sent without ssh(1) receiving any messages back from the server.
If this threshold is reached while server alive messages are
being sent, ssh will disconnect from the server, terminating the
session. It is important to note that the use of server alive
messages is very different from TCPKeepAlive (below). The server
alive messages are sent through the encrypted channel and there‐
fore will not be spoofable. The TCP keepalive option enabled by
TCPKeepAlive is spoofable. The server alive mechanism is valu‐
able when the client or server depend on knowing when a connec‐
tion has become inactive.
The default value is 3. If, for example, ServerAliveInterval
(see below) is set to 15 and ServerAliveCountMax is left at the
default, if the server becomes unresponsive, ssh will disconnect
after approximately 45 seconds. This option applies to protocol
version 2 only.
ServerAliveInterval
Sets a timeout interval in seconds after which if no data has
been received from the server, ssh(1) will send a message through
the encrypted channel to request a response from the server. The
default is 0, indicating that these messages will not be sent to
the server. This option applies to protocol version 2 only.
Every 15 seconds seems pretty often to ping the server.
– Lambart
Feb 20 '14 at 0:08
@Lambart but if the connection is really flaky and drops connections often, it at least detects a dead connection and gives the opportunity to retry earlier.
– binki
Dec 13 '14 at 2:00
add a comment |
I solved this problem with this:
Edit
~/.ssh/config
And add
ServerAliveInterval 15
ServerAliveCountMax 4
According to man page for ssh_config:
ServerAliveCountMax
Sets the number of server alive messages (see below) which may be
sent without ssh(1) receiving any messages back from the server.
If this threshold is reached while server alive messages are
being sent, ssh will disconnect from the server, terminating the
session. It is important to note that the use of server alive
messages is very different from TCPKeepAlive (below). The server
alive messages are sent through the encrypted channel and there‐
fore will not be spoofable. The TCP keepalive option enabled by
TCPKeepAlive is spoofable. The server alive mechanism is valu‐
able when the client or server depend on knowing when a connec‐
tion has become inactive.
The default value is 3. If, for example, ServerAliveInterval
(see below) is set to 15 and ServerAliveCountMax is left at the
default, if the server becomes unresponsive, ssh will disconnect
after approximately 45 seconds. This option applies to protocol
version 2 only.
ServerAliveInterval
Sets a timeout interval in seconds after which if no data has
been received from the server, ssh(1) will send a message through
the encrypted channel to request a response from the server. The
default is 0, indicating that these messages will not be sent to
the server. This option applies to protocol version 2 only.
Every 15 seconds seems pretty often to ping the server.
– Lambart
Feb 20 '14 at 0:08
@Lambart but if the connection is really flaky and drops connections often, it at least detects a dead connection and gives the opportunity to retry earlier.
– binki
Dec 13 '14 at 2:00
add a comment |
I solved this problem with this:
Edit
~/.ssh/config
And add
ServerAliveInterval 15
ServerAliveCountMax 4
According to man page for ssh_config:
ServerAliveCountMax
Sets the number of server alive messages (see below) which may be
sent without ssh(1) receiving any messages back from the server.
If this threshold is reached while server alive messages are
being sent, ssh will disconnect from the server, terminating the
session. It is important to note that the use of server alive
messages is very different from TCPKeepAlive (below). The server
alive messages are sent through the encrypted channel and there‐
fore will not be spoofable. The TCP keepalive option enabled by
TCPKeepAlive is spoofable. The server alive mechanism is valu‐
able when the client or server depend on knowing when a connec‐
tion has become inactive.
The default value is 3. If, for example, ServerAliveInterval
(see below) is set to 15 and ServerAliveCountMax is left at the
default, if the server becomes unresponsive, ssh will disconnect
after approximately 45 seconds. This option applies to protocol
version 2 only.
ServerAliveInterval
Sets a timeout interval in seconds after which if no data has
been received from the server, ssh(1) will send a message through
the encrypted channel to request a response from the server. The
default is 0, indicating that these messages will not be sent to
the server. This option applies to protocol version 2 only.
I solved this problem with this:
Edit
~/.ssh/config
And add
ServerAliveInterval 15
ServerAliveCountMax 4
According to man page for ssh_config:
ServerAliveCountMax
Sets the number of server alive messages (see below) which may be
sent without ssh(1) receiving any messages back from the server.
If this threshold is reached while server alive messages are
being sent, ssh will disconnect from the server, terminating the
session. It is important to note that the use of server alive
messages is very different from TCPKeepAlive (below). The server
alive messages are sent through the encrypted channel and there‐
fore will not be spoofable. The TCP keepalive option enabled by
TCPKeepAlive is spoofable. The server alive mechanism is valu‐
able when the client or server depend on knowing when a connec‐
tion has become inactive.
The default value is 3. If, for example, ServerAliveInterval
(see below) is set to 15 and ServerAliveCountMax is left at the
default, if the server becomes unresponsive, ssh will disconnect
after approximately 45 seconds. This option applies to protocol
version 2 only.
ServerAliveInterval
Sets a timeout interval in seconds after which if no data has
been received from the server, ssh(1) will send a message through
the encrypted channel to request a response from the server. The
default is 0, indicating that these messages will not be sent to
the server. This option applies to protocol version 2 only.
edited Nov 13 '15 at 19:39
kokbira
4,123113465
4,123113465
answered May 30 '13 at 13:32
nachopronachopro
16113
16113
Every 15 seconds seems pretty often to ping the server.
– Lambart
Feb 20 '14 at 0:08
@Lambart but if the connection is really flaky and drops connections often, it at least detects a dead connection and gives the opportunity to retry earlier.
– binki
Dec 13 '14 at 2:00
add a comment |
Every 15 seconds seems pretty often to ping the server.
– Lambart
Feb 20 '14 at 0:08
@Lambart but if the connection is really flaky and drops connections often, it at least detects a dead connection and gives the opportunity to retry earlier.
– binki
Dec 13 '14 at 2:00
Every 15 seconds seems pretty often to ping the server.
– Lambart
Feb 20 '14 at 0:08
Every 15 seconds seems pretty often to ping the server.
– Lambart
Feb 20 '14 at 0:08
@Lambart but if the connection is really flaky and drops connections often, it at least detects a dead connection and gives the opportunity to retry earlier.
– binki
Dec 13 '14 at 2:00
@Lambart but if the connection is really flaky and drops connections often, it at least detects a dead connection and gives the opportunity to retry earlier.
– binki
Dec 13 '14 at 2:00
add a comment |
ExitOnForwardFailure yes
is a good adjunct to the other suggestions. If it connects but can't establish the port forwarding it's just as useless to you as if it hadn't connected at all.
This is a very good idea. Even autossh is useless if the previous connection is perceived as timed out earlier in the remote side than in the local host, since in this case the local host will try to connect again, but the forwarding cannot be established because the port is still open.
– Raúl Salinas-Monteagudo
May 24 '17 at 7:42
add a comment |
ExitOnForwardFailure yes
is a good adjunct to the other suggestions. If it connects but can't establish the port forwarding it's just as useless to you as if it hadn't connected at all.
This is a very good idea. Even autossh is useless if the previous connection is perceived as timed out earlier in the remote side than in the local host, since in this case the local host will try to connect again, but the forwarding cannot be established because the port is still open.
– Raúl Salinas-Monteagudo
May 24 '17 at 7:42
add a comment |
ExitOnForwardFailure yes
is a good adjunct to the other suggestions. If it connects but can't establish the port forwarding it's just as useless to you as if it hadn't connected at all.
ExitOnForwardFailure yes
is a good adjunct to the other suggestions. If it connects but can't establish the port forwarding it's just as useless to you as if it hadn't connected at all.
edited Jun 6 '15 at 23:52
answered Jun 6 '15 at 23:41
jcomeau_ictxjcomeau_ictx
539612
539612
This is a very good idea. Even autossh is useless if the previous connection is perceived as timed out earlier in the remote side than in the local host, since in this case the local host will try to connect again, but the forwarding cannot be established because the port is still open.
– Raúl Salinas-Monteagudo
May 24 '17 at 7:42
add a comment |
This is a very good idea. Even autossh is useless if the previous connection is perceived as timed out earlier in the remote side than in the local host, since in this case the local host will try to connect again, but the forwarding cannot be established because the port is still open.
– Raúl Salinas-Monteagudo
May 24 '17 at 7:42
This is a very good idea. Even autossh is useless if the previous connection is perceived as timed out earlier in the remote side than in the local host, since in this case the local host will try to connect again, but the forwarding cannot be established because the port is still open.
– Raúl Salinas-Monteagudo
May 24 '17 at 7:42
This is a very good idea. Even autossh is useless if the previous connection is perceived as timed out earlier in the remote side than in the local host, since in this case the local host will try to connect again, but the forwarding cannot be established because the port is still open.
– Raúl Salinas-Monteagudo
May 24 '17 at 7:42
add a comment |
I've had a need to maintain an SSH-tunnel long-term. My solution was running from a Linux server, and it's just a small C program that respawns ssh using key-based authentication.
I'm not sure about the hanging, but I've had tunnels die due to timeouts.
I would love to provide the code for the respawner, but I can't seem to find it right now.
add a comment |
I've had a need to maintain an SSH-tunnel long-term. My solution was running from a Linux server, and it's just a small C program that respawns ssh using key-based authentication.
I'm not sure about the hanging, but I've had tunnels die due to timeouts.
I would love to provide the code for the respawner, but I can't seem to find it right now.
add a comment |
I've had a need to maintain an SSH-tunnel long-term. My solution was running from a Linux server, and it's just a small C program that respawns ssh using key-based authentication.
I'm not sure about the hanging, but I've had tunnels die due to timeouts.
I would love to provide the code for the respawner, but I can't seem to find it right now.
I've had a need to maintain an SSH-tunnel long-term. My solution was running from a Linux server, and it's just a small C program that respawns ssh using key-based authentication.
I'm not sure about the hanging, but I've had tunnels die due to timeouts.
I would love to provide the code for the respawner, but I can't seem to find it right now.
answered Sep 8 '09 at 13:17
baumgartbaumgart
1,156613
1,156613
add a comment |
add a comment |
while there are tools like autossh that helps to restart ssh session... what i find to be really useful is to run the 'screen' command. It allows you to RESUME your ssh sessions even after you disconnect. Especially useful if your connection is not as reliable as it should be.
- http://www.howtogeek.com/howto/ubuntu/keep-your-ssh-session-running-when-you-disconnect/
...don't forget to mark this is the 'correct' answer if it helps you k! ;-)
5
... but the question was about how to keep SSH tunnels open, not just a terminal session. Screen IS great though!
– akent
Sep 8 '09 at 14:15
I already use screen, but it doesn't solve my problem :-/ Thanks for your answer, though.
– Peltier
Sep 8 '09 at 14:15
add a comment |
while there are tools like autossh that helps to restart ssh session... what i find to be really useful is to run the 'screen' command. It allows you to RESUME your ssh sessions even after you disconnect. Especially useful if your connection is not as reliable as it should be.
- http://www.howtogeek.com/howto/ubuntu/keep-your-ssh-session-running-when-you-disconnect/
...don't forget to mark this is the 'correct' answer if it helps you k! ;-)
5
... but the question was about how to keep SSH tunnels open, not just a terminal session. Screen IS great though!
– akent
Sep 8 '09 at 14:15
I already use screen, but it doesn't solve my problem :-/ Thanks for your answer, though.
– Peltier
Sep 8 '09 at 14:15
add a comment |
while there are tools like autossh that helps to restart ssh session... what i find to be really useful is to run the 'screen' command. It allows you to RESUME your ssh sessions even after you disconnect. Especially useful if your connection is not as reliable as it should be.
- http://www.howtogeek.com/howto/ubuntu/keep-your-ssh-session-running-when-you-disconnect/
...don't forget to mark this is the 'correct' answer if it helps you k! ;-)
while there are tools like autossh that helps to restart ssh session... what i find to be really useful is to run the 'screen' command. It allows you to RESUME your ssh sessions even after you disconnect. Especially useful if your connection is not as reliable as it should be.
- http://www.howtogeek.com/howto/ubuntu/keep-your-ssh-session-running-when-you-disconnect/
...don't forget to mark this is the 'correct' answer if it helps you k! ;-)
answered Sep 8 '09 at 14:09
kosskoss
16414
16414
5
... but the question was about how to keep SSH tunnels open, not just a terminal session. Screen IS great though!
– akent
Sep 8 '09 at 14:15
I already use screen, but it doesn't solve my problem :-/ Thanks for your answer, though.
– Peltier
Sep 8 '09 at 14:15
add a comment |
5
... but the question was about how to keep SSH tunnels open, not just a terminal session. Screen IS great though!
– akent
Sep 8 '09 at 14:15
I already use screen, but it doesn't solve my problem :-/ Thanks for your answer, though.
– Peltier
Sep 8 '09 at 14:15
5
5
... but the question was about how to keep SSH tunnels open, not just a terminal session. Screen IS great though!
– akent
Sep 8 '09 at 14:15
... but the question was about how to keep SSH tunnels open, not just a terminal session. Screen IS great though!
– akent
Sep 8 '09 at 14:15
I already use screen, but it doesn't solve my problem :-/ Thanks for your answer, though.
– Peltier
Sep 8 '09 at 14:15
I already use screen, but it doesn't solve my problem :-/ Thanks for your answer, though.
– Peltier
Sep 8 '09 at 14:15
add a comment |
A bit of a hack, but I like to use screen to keep this. I currently have a remote forward that has been running for weeks.
Example, starting locally:
screen
ssh -R ......
When the remote forward is applied, and you have a shell on the remote computer:
screen
Ctrl + a + d
You now have an uninterrupted remote forward. The trick is to run screen on both ends
add a comment |
A bit of a hack, but I like to use screen to keep this. I currently have a remote forward that has been running for weeks.
Example, starting locally:
screen
ssh -R ......
When the remote forward is applied, and you have a shell on the remote computer:
screen
Ctrl + a + d
You now have an uninterrupted remote forward. The trick is to run screen on both ends
add a comment |
A bit of a hack, but I like to use screen to keep this. I currently have a remote forward that has been running for weeks.
Example, starting locally:
screen
ssh -R ......
When the remote forward is applied, and you have a shell on the remote computer:
screen
Ctrl + a + d
You now have an uninterrupted remote forward. The trick is to run screen on both ends
A bit of a hack, but I like to use screen to keep this. I currently have a remote forward that has been running for weeks.
Example, starting locally:
screen
ssh -R ......
When the remote forward is applied, and you have a shell on the remote computer:
screen
Ctrl + a + d
You now have an uninterrupted remote forward. The trick is to run screen on both ends
answered Mar 13 '12 at 12:11
landyprolandypro
211
211
add a comment |
add a comment |
Recently had this issue myself, because these solutions require you to re-enter the password every time if you use a password login I used sshpass in a loop along with a text prompt to avoid having the password in the batch file.
Thought I'd share my solution on this thead in case anyone else has the same issue:
#!/bin/bash
read -s -p "Password: " pass
while true
do
sshpass -p "$pass" ssh user@address -p port
sleep 1
done
add a comment |
Recently had this issue myself, because these solutions require you to re-enter the password every time if you use a password login I used sshpass in a loop along with a text prompt to avoid having the password in the batch file.
Thought I'd share my solution on this thead in case anyone else has the same issue:
#!/bin/bash
read -s -p "Password: " pass
while true
do
sshpass -p "$pass" ssh user@address -p port
sleep 1
done
add a comment |
Recently had this issue myself, because these solutions require you to re-enter the password every time if you use a password login I used sshpass in a loop along with a text prompt to avoid having the password in the batch file.
Thought I'd share my solution on this thead in case anyone else has the same issue:
#!/bin/bash
read -s -p "Password: " pass
while true
do
sshpass -p "$pass" ssh user@address -p port
sleep 1
done
Recently had this issue myself, because these solutions require you to re-enter the password every time if you use a password login I used sshpass in a loop along with a text prompt to avoid having the password in the batch file.
Thought I'd share my solution on this thead in case anyone else has the same issue:
#!/bin/bash
read -s -p "Password: " pass
while true
do
sshpass -p "$pass" ssh user@address -p port
sleep 1
done
edited Jul 30 '15 at 14:24
answered Jul 30 '15 at 14:02
BrainfloatBrainfloat
1112
1112
add a comment |
add a comment |
I have had similar problems with my previous ISP.
For me it was the same with any tcp connection, visiting websites or sending mail.
The solution was to configure a VPN connection over UDP(I was using OpenVPN). This connection was more tolerant to whatever caused the disconnections. Then you can run any service through this connection.
There can still be issues with the connection but since the tunnel will be more tolerant any ssh session will feel a short holdup rather than being disconnected.
To do this you will need a VPN service online which you can setup on your own server.
add a comment |
I have had similar problems with my previous ISP.
For me it was the same with any tcp connection, visiting websites or sending mail.
The solution was to configure a VPN connection over UDP(I was using OpenVPN). This connection was more tolerant to whatever caused the disconnections. Then you can run any service through this connection.
There can still be issues with the connection but since the tunnel will be more tolerant any ssh session will feel a short holdup rather than being disconnected.
To do this you will need a VPN service online which you can setup on your own server.
add a comment |
I have had similar problems with my previous ISP.
For me it was the same with any tcp connection, visiting websites or sending mail.
The solution was to configure a VPN connection over UDP(I was using OpenVPN). This connection was more tolerant to whatever caused the disconnections. Then you can run any service through this connection.
There can still be issues with the connection but since the tunnel will be more tolerant any ssh session will feel a short holdup rather than being disconnected.
To do this you will need a VPN service online which you can setup on your own server.
I have had similar problems with my previous ISP.
For me it was the same with any tcp connection, visiting websites or sending mail.
The solution was to configure a VPN connection over UDP(I was using OpenVPN). This connection was more tolerant to whatever caused the disconnections. Then you can run any service through this connection.
There can still be issues with the connection but since the tunnel will be more tolerant any ssh session will feel a short holdup rather than being disconnected.
To do this you will need a VPN service online which you can setup on your own server.
answered Sep 28 '09 at 10:27
hultqvisthultqvist
267210
267210
add a comment |
add a comment |
As autossh
does not meet our needs (it exists with error if it can't connect to the server at the very first attempt), we've written a pure bash application: https://github.com/aktos-io/link-with-server
It creates a reverse tunnel for the NODE's sshd port (22) on the server by default. If you need to perform any other actions (like forwarding additional ports, sending mails on connection, etc...) you can place your scripts on-connect
and on-disconnect
folders.
add a comment |
As autossh
does not meet our needs (it exists with error if it can't connect to the server at the very first attempt), we've written a pure bash application: https://github.com/aktos-io/link-with-server
It creates a reverse tunnel for the NODE's sshd port (22) on the server by default. If you need to perform any other actions (like forwarding additional ports, sending mails on connection, etc...) you can place your scripts on-connect
and on-disconnect
folders.
add a comment |
As autossh
does not meet our needs (it exists with error if it can't connect to the server at the very first attempt), we've written a pure bash application: https://github.com/aktos-io/link-with-server
It creates a reverse tunnel for the NODE's sshd port (22) on the server by default. If you need to perform any other actions (like forwarding additional ports, sending mails on connection, etc...) you can place your scripts on-connect
and on-disconnect
folders.
As autossh
does not meet our needs (it exists with error if it can't connect to the server at the very first attempt), we've written a pure bash application: https://github.com/aktos-io/link-with-server
It creates a reverse tunnel for the NODE's sshd port (22) on the server by default. If you need to perform any other actions (like forwarding additional ports, sending mails on connection, etc...) you can place your scripts on-connect
and on-disconnect
folders.
answered Jul 15 '17 at 0:04
ceremcemceremcem
206314
206314
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f37738%2fhow-to-reliably-keep-an-ssh-tunnel-open%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
It is your tunnel dead because inactivity? I had this problem when tunneling ports from my phone so i finally ended spawning dummy commands on the connection to make it "alive" using the
watch
command like:watch -n1 60 echo "wiiiii"
. Tunnel will not die unless network is broken or you don't use it.– erm3nda
Feb 10 '17 at 2:07
Related: unix.stackexchange.com/q/200239
– sampablokuper
Dec 29 '17 at 16:28