Accepting request 305305 from home:gregfreemyer:branches:security

Make autossh a instantiated service in systemd environments. Add a readme that details the installation. OBS-URL: https://build.opensuse.org/request/show/305305 OBS-URL: https://build.opensuse.org/package/show/security/autossh?expand=0&rev=19
2015-05-11 01:16:35 +00:00 · 2015-05-11 01:16:35 +00:00 · 12da744214
commit 12da744214
parent 53336b96ad
5 changed files with 182 additions and 5 deletions
--- a/README.SUSE.md
+++ b/README.SUSE.md
@ -0,0 +1,137 @@
+
+This README is written in markdown format.  The retext editor in "preview" mode is one method of viewing it properly.
+Anyone editing this document should verify it displays properly in retext preview mode before submitting changes.
+
+# autossh
+
+autossh is designed to let you setup both normal encrypted and reverse encrypted tunnels.
+
+## autossh with systemd
+
+To use autossh as a systemd service the following MUST be done at a minimum:
+
+autossh is an "instantiated" service with systemd meaning you can instantiate
+it multiple times in order to create multiple tunnels
+
+The below is psuedo code that shows what YOU need to do.
+The values for my_tunnel should be whatever you desire them to be
+
+for (my_tunnel in ssh http imap pop) {
+>  	sytemctl enable autossh@${my-tunnel}.service
+
+>	mkdir /etc/systemd/system/autossh@${my-tunnel}.service.d
+	cp /usr/share/doc/packages/autossh/my.conf /etc/systemd/system/autossh@${my-tunnel}.service.d
+	edit /etc/systemd/system/autossh@${my-tunnel}.service.d/my.conf to reflect your needs
+
+>	sytemctl start autossh@${my-tunnel}.service
+
+}
+
+The author of this README only uses autossh for reverse tunnels, so see
+the below reverse tunnels description for detailed instructions of that usage.
+
+## autossh to create reverse encrypted tunnels
+
+This README supplements the above.
+
+You should read and understand the instructions in the above before reading these.
+
+These are detailed steps you must do to actually use autossh in openSUSE.
+
+### Reverse tunnel overview
+
+autossh is designed to let you setup both normal encrypted and reverse encrypted tunnels.
+
+With a reverse encrypted tunnel you can, as an example, have a machine behind
+a NAT firewall expose a ssh listening port by tunneling it through a well known
+server to a public facing port on the internet.
+
+This README is setup to expose port 22 (the ssh port) of a target openSUSE
+PC to the world by opening a port 2222 tunnel port on a public facing
+openSUSE server in the cloud.  It is assumed port 2222 will be where
+ssh clients will connect to.  Those connections will be forwarded via
+the ssh reverse tunnel to port 22 on the target PC hidden behind the firewall.
+
+### Step one goal
+
+From the target openSUSE PC ensure root can issue a ssh command to your public openSUSE server and not have a password be requested.
+
+ssh -i /root/.ssh/id_rsa.autossh autossh@my.cloud.server
+
+autossh can be any user account on both the target and public servers, but it is recommended it be one dedicated to providing tunnels and not allow interactive login.
+
+my.cloud.server  => replace with the fqdn of your public server.
+
+### Step one
+
+on the public (cloud) PC:
+>   sudo /usr/sbin/useradd -m autossh    (or other as you desire) <br>
+   sudo passwd autossh   # set a tempory password
+
+on the target PC:
+>   sudo /usr/sbin/useradd -m autossh    (or other as you desire)  <br>
+>   sudo passwd autossh   # set a tempory password   <br>
+>   start a command line as autossh (or su - autossh) <br>
+>   ssh-keygen  (take defaults for all questions) <br>
+>   scp /home/autossh/.ssh/id_rsa.pub autossh@my.cloud.server:id_rsa.pub <br>
+>   ssh autossh@my.cloud.server  <br>
+>>	  (accept the cert and enter password) <br>
+	   mkdir .ssh  <br>
+	   cat id_rsa.pub >>  .ssh/authorized_keys <br>
+	   rm id_rsa.pub  <br>
+	   logout
+
+>   ssh autossh@my.cloud.server <br>
+>>	   (password should not be required)
+>>	   logout
+
+>   sudo cp /home/autossh/.ssh/id_rsa /root/.shh/id_rsa.autossh <br>
+>   sudo ssh -i /root/.ssh/id_rsa.autossh autossh@my.cloud.server <br>
+>>	   (password should not be required)
+>>	   logout
+
+### Step two
+
+on the public (cloud) PC:
+>   sudo /usr/sbin/usermod -s /sbin/nologin autossh
+
+on the target PC:
+>   test that ssh connects, but the connection is immediately closed  <br>
+   sudo ssh -i /root/.ssh/id_rsa.autossh autossh@my.cloud.server
+
+### Step three
+Assuming you are using systemd:
+
+on the target PC:
+> sudo systemctl enable autossh@ssh.service <br>
+> sudo mkdir /etc/systemd/system/autossh@ssh.service.d  <br>
+> sudo cp /usr/share/doc/packages/autossh/my.conf /etc/systemd/system/autossh@ssh.service.d  <br>
+> sudo vi /etc/systemd/system/autossh@ssh.service.d/my.conf
+
+>> replace ExecStart line with:
+
+>>ExecStart=/usr/bin/autossh -i /root/.ssh/id_rsa.autossh -M 0 -NR *:2222:localhost:22 -o TCPKeepAlive=yes autossh@my.cloud.server
+
+>> and of course replace the server name.
+
+>>fyi: this command says  <br>
+ * - On the public facing server allow all IPs to connect  <br>
+ 2222 - On the public facing server listen on port 2222  <br>
+ localhost - name of local PC the tunnel is exposing  <br>
+ 22 - port on local PC the tunnel is exposing
+
+> sudo systemctl start autossh@ssh.service
+
+
+### Step four
+
+test
+
+In order to eliminate firewall issues test first directly on the public facing server:
+
+On public (cloud) server -
+ssh -l <valid_user> -p 2222 localhost
+
+That should open a ssh connection from the public server through the ssh reverse tunnel to the target PC.
+
+Once that works, expand your testing to other client machines.  If you have issues be sure to check the firewall status of your public facing server.
--- a/autossh.changes
+++ b/autossh.changes
@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Fri Apr 24 21:08:10 UTC 2015 - Greg.Freemyer@gmail.com
+
+- change autossh.service content to reflect it is a READONLY file.
+- change the install line for autossh.service to:
+%__install -D -m 444 %{S:3} %{buildroot}%{_unitdir}/autossh@.service
+    * This has 2 big changes.  First the permissions are 444, so READONLY.
+    * Second, note the @ char in the target name.  
+          This makes it an instantiated service file
+- add a sample my.conf override file
+- add a README.SUSE.md file that:
+    * explains how to use systemd instantiated service 
+    * how to use the override file
+    * a full walkthru of how to setup a reverse tunnel
+
 -------------------------------------------------------------------
 Thu Dec 18 11:23:53 UTC 2014 - p.drouand@gmail.com

--- a/autossh.service
+++ b/autossh.service
@ -1,11 +1,15 @@
+# DO NOT EDIT THIS FILE,
+# use /etc/systemd/system/autossh@*.service.d/my.conf to override this file instead
+
 [Unit]
 Description=AutoSSH service for port 2222
 After=network.target

 [Service]
 Environment="AUTOSSH_GATETIME=0"
-ExecStart=/usr/bin/autossh -M 0 -NL 2222:localhost:2222 -o TCPKeepAlive=yes foo@bar.com
+ExecStart=echo "This line MUST be overridden.  See /usr/share/doc/packages/autossh/README.SUSE.md for details."

 [Install]
 WantedBy=multi-user.target

+# DO NOT EDIT THIS FILE,
--- a/autossh.spec
+++ b/autossh.spec
@ -1,7 +1,7 @@
 #
 # spec file for package autossh
 #
-# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -15,6 +15,7 @@
 # Please submit bugfixes or comments via http://bugs.opensuse.org/
 #

+
 %if 0%{?suse_version} > 1220
 %define with_systemd 1
 %else
@ -33,6 +34,8 @@ Source:         http://www.harding.motd.ca/autossh/%{name}-%{version}.tgz
 Source1:        autossh.init
 Source2:        autossh.conf
 Source3:        autossh.service
+Source4:        my.conf
+Source5:        README.SUSE.md
 Patch0:         autossh-makefile-destdir.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build

@ -58,6 +61,8 @@ such as connection refused.
 %prep
 %setup
 %patch0 -p1
+cp %{S:4} .
+cp %{S:5} .

 %build
 %configure
@ -67,7 +72,7 @@ such as connection refused.
 %makeinstall
 %__mkdir_p %{buildroot}%{_sbindir}
 %if %{with_systemd}
-%__install -D -m 755 %{S:3} %{buildroot}%{_unitdir}/autossh.service
+%__install -D -m 444 %{S:3} %{buildroot}%{_unitdir}/autossh@.service
 ln -s /usr/sbin/service %{buildroot}%{_sbindir}/rcautossh
 %else
 %__install -D -m 755 %{S:1} %{buildroot}%{_initrddir}/autossh
@ -101,11 +106,11 @@ ln -s /usr/sbin/service %{buildroot}%{_sbindir}/rcautossh

 %files
 %defattr(-, root, root, 0755)
-%doc CHANGES README
+%doc CHANGES README README.SUSE.md my.conf
 %doc autossh.host rscreen
 %{_bindir}/autossh
 %if %{with_systemd}
-%{_unitdir}/%{name}.service
+%{_unitdir}/%{name}@.service
 %else
 %{_initrddir}/autossh
 /var/adm/fillup-templates/sysconfig.autossh
--- a/my.conf
+++ b/my.conf
@ -0,0 +1,16 @@
+# Override and reset the Description to blank
+Description=
+# Then append my local description to the blank Description
+Description=AutoSSH service for ssh reverse tunnel
+
+# Override and reset ExecStart to blank
+ExecStart=
+
+# Append a legal command to create a normal encrypted tunnel
+# ExecStart=/usr/bin/autossh -M 0 -NL 2222:localhost:2222 -o TCPKeepAlive=yes foo@bar.com
+
+# OR
+
+# Append a legal command to create a reverse encrypted tunnel
+# ExecStart=/usr/bin/autossh -M 0 -NR 2222:localhost:2222 -o TCPKeepAlive=yes foo@bar.com
+