From 12da74421449ed5519e986c5d4f8aa0c6156b6842d7c08ef107dd862d56afeca Mon Sep 17 00:00:00 2001 From: Greg Freemyer Date: Mon, 11 May 2015 01:16:35 +0000 Subject: [PATCH] Accepting request 305305 from home:gregfreemyer:branches:security Make autossh a instantiated service in systemd environments. Add a readme that details the installation. OBS-URL: https://build.opensuse.org/request/show/305305 OBS-URL: https://build.opensuse.org/package/show/security/autossh?expand=0&rev=19 --- README.SUSE.md | 137 ++++++++++++++++++++++++++++++++++++++++++++++++ autossh.changes | 15 ++++++ autossh.service | 6 ++- autossh.spec | 13 +++-- my.conf | 16 ++++++ 5 files changed, 182 insertions(+), 5 deletions(-) create mode 100644 README.SUSE.md create mode 100644 my.conf diff --git a/README.SUSE.md b/README.SUSE.md new file mode 100644 index 0000000..613f81b --- /dev/null +++ b/README.SUSE.md @@ -0,0 +1,137 @@ + +This README is written in markdown format. The retext editor in "preview" mode is one method of viewing it properly. +Anyone editing this document should verify it displays properly in retext preview mode before submitting changes. + +# autossh + +autossh is designed to let you setup both normal encrypted and reverse encrypted tunnels. + +## autossh with systemd + +To use autossh as a systemd service the following MUST be done at a minimum: + +autossh is an "instantiated" service with systemd meaning you can instantiate +it multiple times in order to create multiple tunnels + +The below is psuedo code that shows what YOU need to do. +The values for my_tunnel should be whatever you desire them to be + +for (my_tunnel in ssh http imap pop) { +> sytemctl enable autossh@${my-tunnel}.service + +> mkdir /etc/systemd/system/autossh@${my-tunnel}.service.d + cp /usr/share/doc/packages/autossh/my.conf /etc/systemd/system/autossh@${my-tunnel}.service.d + edit /etc/systemd/system/autossh@${my-tunnel}.service.d/my.conf to reflect your needs + +> sytemctl start autossh@${my-tunnel}.service + +} + +The author of this README only uses autossh for reverse tunnels, so see +the below reverse tunnels description for detailed instructions of that usage. + +## autossh to create reverse encrypted tunnels + +This README supplements the above. + +You should read and understand the instructions in the above before reading these. + +These are detailed steps you must do to actually use autossh in openSUSE. + +### Reverse tunnel overview + +autossh is designed to let you setup both normal encrypted and reverse encrypted tunnels. + +With a reverse encrypted tunnel you can, as an example, have a machine behind +a NAT firewall expose a ssh listening port by tunneling it through a well known +server to a public facing port on the internet. + +This README is setup to expose port 22 (the ssh port) of a target openSUSE +PC to the world by opening a port 2222 tunnel port on a public facing +openSUSE server in the cloud. It is assumed port 2222 will be where +ssh clients will connect to. Those connections will be forwarded via +the ssh reverse tunnel to port 22 on the target PC hidden behind the firewall. + +### Step one goal + +From the target openSUSE PC ensure root can issue a ssh command to your public openSUSE server and not have a password be requested. + +ssh -i /root/.ssh/id_rsa.autossh autossh@my.cloud.server + +autossh can be any user account on both the target and public servers, but it is recommended it be one dedicated to providing tunnels and not allow interactive login. + +my.cloud.server => replace with the fqdn of your public server. + +### Step one + +on the public (cloud) PC: +> sudo /usr/sbin/useradd -m autossh (or other as you desire)
+ sudo passwd autossh # set a tempory password + +on the target PC: +> sudo /usr/sbin/useradd -m autossh (or other as you desire)
+> sudo passwd autossh # set a tempory password
+> start a command line as autossh (or su - autossh)
+> ssh-keygen (take defaults for all questions)
+> scp /home/autossh/.ssh/id_rsa.pub autossh@my.cloud.server:id_rsa.pub
+> ssh autossh@my.cloud.server
+>> (accept the cert and enter password)
+ mkdir .ssh
+ cat id_rsa.pub >> .ssh/authorized_keys
+ rm id_rsa.pub
+ logout + +> ssh autossh@my.cloud.server
+>> (password should not be required) +>> logout + +> sudo cp /home/autossh/.ssh/id_rsa /root/.shh/id_rsa.autossh
+> sudo ssh -i /root/.ssh/id_rsa.autossh autossh@my.cloud.server
+>> (password should not be required) +>> logout + +### Step two + +on the public (cloud) PC: +> sudo /usr/sbin/usermod -s /sbin/nologin autossh + +on the target PC: +> test that ssh connects, but the connection is immediately closed
+ sudo ssh -i /root/.ssh/id_rsa.autossh autossh@my.cloud.server + +### Step three +Assuming you are using systemd: + +on the target PC: +> sudo systemctl enable autossh@ssh.service
+> sudo mkdir /etc/systemd/system/autossh@ssh.service.d
+> sudo cp /usr/share/doc/packages/autossh/my.conf /etc/systemd/system/autossh@ssh.service.d
+> sudo vi /etc/systemd/system/autossh@ssh.service.d/my.conf + +>> replace ExecStart line with: + +>>ExecStart=/usr/bin/autossh -i /root/.ssh/id_rsa.autossh -M 0 -NR *:2222:localhost:22 -o TCPKeepAlive=yes autossh@my.cloud.server + +>> and of course replace the server name. + +>>fyi: this command says
+ * - On the public facing server allow all IPs to connect
+ 2222 - On the public facing server listen on port 2222
+ localhost - name of local PC the tunnel is exposing
+ 22 - port on local PC the tunnel is exposing + +> sudo systemctl start autossh@ssh.service + + +### Step four + +test + +In order to eliminate firewall issues test first directly on the public facing server: + +On public (cloud) server - +ssh -l -p 2222 localhost + +That should open a ssh connection from the public server through the ssh reverse tunnel to the target PC. + +Once that works, expand your testing to other client machines. If you have issues be sure to check the firewall status of your public facing server. diff --git a/autossh.changes b/autossh.changes index 4a02d32..4dbddb6 100644 --- a/autossh.changes +++ b/autossh.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Fri Apr 24 21:08:10 UTC 2015 - Greg.Freemyer@gmail.com + +- change autossh.service content to reflect it is a READONLY file. +- change the install line for autossh.service to: +%__install -D -m 444 %{S:3} %{buildroot}%{_unitdir}/autossh@.service + * This has 2 big changes. First the permissions are 444, so READONLY. + * Second, note the @ char in the target name. + This makes it an instantiated service file +- add a sample my.conf override file +- add a README.SUSE.md file that: + * explains how to use systemd instantiated service + * how to use the override file + * a full walkthru of how to setup a reverse tunnel + ------------------------------------------------------------------- Thu Dec 18 11:23:53 UTC 2014 - p.drouand@gmail.com diff --git a/autossh.service b/autossh.service index fadb1e4..afdfc23 100644 --- a/autossh.service +++ b/autossh.service @@ -1,11 +1,15 @@ +# DO NOT EDIT THIS FILE, +# use /etc/systemd/system/autossh@*.service.d/my.conf to override this file instead + [Unit] Description=AutoSSH service for port 2222 After=network.target [Service] Environment="AUTOSSH_GATETIME=0" -ExecStart=/usr/bin/autossh -M 0 -NL 2222:localhost:2222 -o TCPKeepAlive=yes foo@bar.com +ExecStart=echo "This line MUST be overridden. See /usr/share/doc/packages/autossh/README.SUSE.md for details." [Install] WantedBy=multi-user.target +# DO NOT EDIT THIS FILE, diff --git a/autossh.spec b/autossh.spec index 0ac05ed..85869bd 100644 --- a/autossh.spec +++ b/autossh.spec @@ -1,7 +1,7 @@ # # spec file for package autossh # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -15,6 +15,7 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # + %if 0%{?suse_version} > 1220 %define with_systemd 1 %else @@ -33,6 +34,8 @@ Source: http://www.harding.motd.ca/autossh/%{name}-%{version}.tgz Source1: autossh.init Source2: autossh.conf Source3: autossh.service +Source4: my.conf +Source5: README.SUSE.md Patch0: autossh-makefile-destdir.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -58,6 +61,8 @@ such as connection refused. %prep %setup %patch0 -p1 +cp %{S:4} . +cp %{S:5} . %build %configure @@ -67,7 +72,7 @@ such as connection refused. %makeinstall %__mkdir_p %{buildroot}%{_sbindir} %if %{with_systemd} -%__install -D -m 755 %{S:3} %{buildroot}%{_unitdir}/autossh.service +%__install -D -m 444 %{S:3} %{buildroot}%{_unitdir}/autossh@.service ln -s /usr/sbin/service %{buildroot}%{_sbindir}/rcautossh %else %__install -D -m 755 %{S:1} %{buildroot}%{_initrddir}/autossh @@ -101,11 +106,11 @@ ln -s /usr/sbin/service %{buildroot}%{_sbindir}/rcautossh %files %defattr(-, root, root, 0755) -%doc CHANGES README +%doc CHANGES README README.SUSE.md my.conf %doc autossh.host rscreen %{_bindir}/autossh %if %{with_systemd} -%{_unitdir}/%{name}.service +%{_unitdir}/%{name}@.service %else %{_initrddir}/autossh /var/adm/fillup-templates/sysconfig.autossh diff --git a/my.conf b/my.conf new file mode 100644 index 0000000..095ec50 --- /dev/null +++ b/my.conf @@ -0,0 +1,16 @@ +# Override and reset the Description to blank +Description= +# Then append my local description to the blank Description +Description=AutoSSH service for ssh reverse tunnel + +# Override and reset ExecStart to blank +ExecStart= + +# Append a legal command to create a normal encrypted tunnel +# ExecStart=/usr/bin/autossh -M 0 -NL 2222:localhost:2222 -o TCPKeepAlive=yes foo@bar.com + +# OR + +# Append a legal command to create a reverse encrypted tunnel +# ExecStart=/usr/bin/autossh -M 0 -NR 2222:localhost:2222 -o TCPKeepAlive=yes foo@bar.com +