On 26Aug2020 17:00, Jamie Fargen jamie@fargenable.com wrote:
/etc/autossh/ipaddress-port OPTIONS=-i /path/to/private/key -M 10985 -o "PubkeyAuthentication=yes" -o "PasswordAuthentication=no" -o "StrictHostKeyChecking=no" -tt -R 6667:localhost:22 root@ip.ad.dr.ess
Just a general remark about remote ssh forwards. Unless you _know_ that the machine you are exposing is itself very well secured, it is better to use this form of the -R option:
-R 127.0.0.1:6667:localhost:22
That exposes the internal-machine ssh service only to localhost on the target external-machine. Default, if sshd has GatewayPorts enabled, is to expose it on "*" - allowing access (and therefore _attack_) on the external interfaces of the external machine.
When I make this kind of arrangement I always tie the exposed service to only the local interface, and access it via an ssh jump, eg ssh clause:
Host internal-machine ProxyCommand ssh -W 127.0.0.1:6667 external-machine
That way the only people who can access the ssh service of internal-machine are those already allowed access to external-machine, rather than the entire internet.
Cheers, Cameron Simpson cs@cskk.id.au