- Create the user that will run the agent service:
sudo useradd --system --create-home --user-group --shell "$(which nologin)" rssht-agent
- Change to user
rssht-agent
and itsHOME
directory:
sudo -H -u rssht-agent bash
cd
- Ensure
.ssh
directory exists and has correct permissions:
mkdir -p .ssh
chmod 700 .ssh
- Generate the public/private rsa key pair the agent will use to connect to the intermediate SSH server, replace
<AGENT-ID>
accordingly:
ssh-keygen -C "<AGENT-ID>" -N "" -f ".ssh/id_rsa"
- Copy the public key to the intermediate SSH server, replace
<SSH-USER>
,<SSH-SERVER>
and<SSH-PORT>
accordingly (see the configuration of the intermediate SSH server):
ssh-copy-id -i ".ssh/id_rsa.pub" <SSH-USER>@<SSH-SERVER> -p <SSH-PORT>
- Download and change to the source code directory:
git clone https://github.com/guallo/remote-ssh-tunnel-agent.git
cd remote-ssh-tunnel-agent
- Configure the agent with the corresponding
<OPTION>
's (see the configuration of the intermediate SSH server):
sed -i 's/^\(SSH_USER=\).*$/\1<SSH-USER>/' rssht-agent.sh
sed -i 's/^\(SSH_SERVER=\).*$/\1<SSH-SERVER>/' rssht-agent.sh
sed -i 's/^\(SSH_PORT=\).*$/\1<SSH-PORT>/' rssht-agent.sh
sed -i 's!^\(SWAP_DIRECTORY=\).*$!\1"<SWAP-DIRECTORY>"!' rssht-agent.sh
- Give execution permission to the agent's user:
chmod u+x rssht-agent.sh
- Come back to original user and directory:
exit
- Install, enable and start the systemd unit:
sudo cp /home/rssht-agent/remote-ssh-tunnel-agent/rssht-agent.service /lib/systemd/system/
sudo systemctl enable rssht-agent.service
sudo systemctl start rssht-agent.service
NOTICE: This method currently do not deploy (if upgraded) the systemd unit file rssht-agent.service
.
- Change to the agent's user and installation directory:
sudo -H -u rssht-agent bash
cd $HOME/remote-ssh-tunnel-agent
- Configure temporary identification:
git config user.name temp
git config user.email temp
- Temporarily save the local changes:
git add -A
git commit -m 'temp'
- Apply last remote changes:
git pull --rebase
-
Resolve any conflicts (if any) that could arise from previous step.
-
Restore the local changes:
git reset HEAD~1
chmod u+x rssht-agent.sh
- Discard temporary identification:
git config --unset user.name
git config --unset user.email
- Come back to original user and directory:
exit
- Restart the agent service:
sudo systemctl restart rssht-agent.service
- Create the
<SSH-USER>
that the agents will use to fetch commands from and notify status to the<SSH-SERVER>
:
sudo useradd --create-home --home-dir /home/rssht-server --shell /bin/bash rssht-server
- Assign A VERY STRONG password to the
<SSH-USER>
:
sudo passwd rssht-server
-
It is convenient to set the
<SSH-PORT>
to443
(commonly used for the https protocol) to avoid as much as possible the agents get blocked by their ISP's. To do that configurePort 443
into the/etc/ssh/sshd_config
file. -
Override the following settings for the
<SSH-USER>
and restart the ssh service:
sudo tee -a /etc/ssh/sshd_config >/dev/null <<EOF
Match User rssht-server
PasswordAuthentication yes
PubkeyAuthentication yes
AllowTcpForwarding yes
GatewayPorts yes
EOF
sudo systemctl restart sshd
- Create the
<SWAP-DIRECTORY>
used by the agents to fetch commands from the<SWAP-DIRECTORY>/<AGENT-ID>.in
file and notify status to the<SWAP-DIRECTORY>/<AGENT-ID>.out
file:
sudo -H -u rssht-server bash -c 'mkdir /home/rssht-server/rssht-swap-dir'
- Protect the
<SWAP-DIRECTORY>
:
sudo chmod 700 /home/rssht-server/rssht-swap-dir
To watch sshd's processes tree every second:
watch -n 1.0 "pstree -acglnp $(ps -C sshd -o pid,cmd --no-headers | grep /usr/sbin/sshd | grep -Po '\d+' | head -n 1)"