Ubuntu – Making a crontab reversed SSH connection using script

autosshcronssh

I have a PC behind a NAT which makes a reversed SSH connection to my Digitalocean VPC. I utilise this reversed SSH connection from home to login to my office PC (I am authorised to do so) and copy files and do other important things.

Although not often, I noticed that my office PC restarts (due to power failures etc) and breaks the reversed SSH connection it has made with my VPC. In these kind of cases, I am unable to connect from my home PC to my office PC.

I run the following script to make the reversed connection + dynamic proxy to anonymise my traffic ( As I am not required to share browsing information) generated at the office PC.

autossh -CD 8080 -i digitalOcean -R 8081:localhost:22 root@IPofDigitalOceanPC

There is no way I can run this script again on my office PC upon a restart as I am not physically there. In order to solve this problem I installed the following crontab.

Note: rev.sh file contains the above line. The certificate "digitalOcean" and rev.sh is located in Ubuntu home. Therefore, when I execute ./rev.sh in my Ubuntu terminal I obtain a dynamic proxy and also access to my DigitalOcean server. This method works 100%.

However when I install the crontab in the following method, My ubuntu PC never makes a Dynamic proxy. I can see this because when I check this proxy from Google Chrome, it says proxy is refusing connection.

Here are the cronjobs I tried as root's cronjobs. I also tried these as a normal user, still they didn't work.

@reboot bash /home/user/rev.sh 
@reboot /home/user/rev.sh 
@reboot cd /home/user && ./rev.sh

I then installed a crontab a several minutes before the current time and waited for it to execute.

24 12 * * * bash /home/user/rev.sh
24 12 * * * /home/user/rev.sh
24 12 * * * reboot

These did not execute either.

I also tried 48 15 * * * bash /home/user/rev.sh >> test3 and */1 * * * * reboot -f >> test but the test3 and test have nothing. However the files has been CREATED!! by the crontab!

Please be kind enough to help me spot my mistake.
There are many similar questions on this website on my issue. I have referred many answers hence but none of them seemed to help.

Best Answer

A better solution would be to make use of watchdog. watchdog is a daemon which will watch running processes and if they exit will automatically restart them.

Install watchdog on Ubuntu 16.04

sudo apt-get install watchdog

How watchdog works

The watchdog(8) daemon will execute scripts in /etc/watchdog.d with the argument test or repair. (see TEST DIRECTORY section of watchdog(8) man page). Your watchdog script handles those two arguments when it checks to see if a process is running and takes an action to repair it.

You can configure watchdog by modifying /etc/watchdog.conf (See watchdog.conf(5)).

Example `watchdog.d` script

Take for example /etc/watchdog.d/autossh_script (which has 755 permissions and is owned by root).

Note: you may need to customize $targetuser environment variable in the example script. sam is my username.

#!/bin/bash

targetuser=sam

runTest=false
runRepair=false

case $1 in
  test)
    runTest=true
  ;;
  repair)
    runRepair=true
    repairExitCode=$2
  ;;
  *)
    echo 'Error: script needs to be run by watchdog' 1>&2
    exit 1
  ;;
esac

if ${runTest}; then
  #run a test here which will tell the status of your process
  #the exit code of this script will be the repairExitCode if it is non-zero
  if ! pgrep autossh &> /dev/null; then
    #autossh not running; notify watchdog to repair
    exit 1
  else
    #autossh running; no action necessary
    exit 0
  fi
fi

if ${runRepair}; then
  #take an action to repair the affected item
  #use a case statement on $repairExitCode to handle different failure cases
  su - ${targetuser} -c 'nohup autossh -f -- -NCD 8080 -i digitalOcean -R 8081:localhost:22 root@IPofDigitalOceanPC'
  exit 0
fi

I added -N to your ssh command in the example script so it only starts the tunnel but does not attempt to create a login shell.
I added -f to autossh so that it runs in the background.
The example script uses a simple pgrep pattern. However, you can further narrow the test to a specific user or even use a pattern for the process. See pgrep(1) for how to further customize your test using pgrep.

Configuring watchdog

/etc/watchdog.conf and /etc/defaults/watchdog are places to configure watchdog. See watchdog.conf(5).

One thing to note is user scripts are executed once every second by default. I recommend increasing this to at least 30 seconds unless you have a need for more realtime checking. Adjust the interval setting in watchdog.conf.

Troubleshooting

You may need to create the /etc/watchdog.d directory before your script.

/var/log/watchdog/* contains watchdog related logs and errors. If your script outputs to stdout or stderr then it will be written there. On my system I notice my script executes test or repair roughly once every second. If you use echo in your script it should only be temporary for debugging purposes only. Otherwise, discarding output is recommended except in the case of errors.

If your script is not running at all then check the permissions: ls -l /etc/watchdog.d.

Configuring sshd

The best place to get known to the possibilities of SSH is by reading the related manual pages:

Where can SSH client perform actions?

Before you can restrict something, you need to know the features of SSH. Spitting through the manual pages yields:

Shell commands execution
File upload through sftp
Port forwarding
- The client forwards an (un)used port to the server
- The server forwards his port to the client
- The server forwards a port of another host to the client (proxy-ish)
X11 forwarding (display forwarding)
Authentication agent forwarding
Forwarding of a tunnel device

From the Authentication section of the manual page of sshd(8):

If the client successfully authenticates itself, a dialog for preparing the session is entered. At this time the client may request things like allocating a pseudo-tty, forwarding X11 connections, forwarding TCP connections, or forwarding the authentication agent connection over the secure channel.

After this, the client either requests a shell or execution of a command. The sides then enter session mode. In this mode, either side may send data at any time, and such data is forwarded to/from the shell or command on the server side, and the user terminal in the client side.

Options for restricting SSH features

Files and their options that alter behavior are:

~/.ssh/authorized_keys - contains keys which are allowed to connect which can be given options:
- command="command" - The command supplied by the user (if any) is ignored. Note that the client may specify TCP and/or X11 forwarding unless they are explicitly prohibited. Note that this option applies to shell, command or subsystem execution.
- no-agent-forwarding - Forbids authentication agent forwarding when this key is used for authentication.
- no-port-forwarding - Forbids TCP forwarding when this key is used for authentication
- no-X11-forwarding - "Forbids X11 forwarding when this key is used for authentication."
- permitopen="host:port" - Limit local 'ssh -L' port forwarding such that it may only connect to the specified host and port.
~/.ssh/environment - This file is read into the environment at login (if it exists). Environment processing is disabled by default and is controlled via the PermitUserEnvironment option
~/.ssh/rc - Contains initialization routines to be run before the user's home directory becomes accessible.
/etc/ssh/sshd_config - the system-wide configuration file
- AllowAgentForwarding - Specifies whether ssh-agent(1) forwarding is permitted.
- AllowTcpForwarding
- ForceCommand - "Forces the execution of the command specified by ForceCommand, ignoring any command supplied by the client and ~/.ssh/rc if present. The command is invoked by using the user's login shell with the -c option."
- GatewayPorts - "Specifies whether remote hosts are allowed to connect to ports forwarded for the client. By default, sshd(8) binds remote port forwardings to the loopback address. This prevents other remote hosts from connecting to forwarded ports. GatewayPorts can be used to specify that sshd should allow remote port forwardings to bind to non-loopback addresses, thus allowing other hosts to connect."
- PermitOpen:
  Specifies the destinations to which TCP port forwarding is permitted. The forwarding specification must be one of the following forms:
```
PermitOpen host:port
PermitOpen IPv4_addr:port
PermitOpen [IPv6_addr]:port
```
  Multiple forwards may be specified by separating them with whitespace. An argument of 'any' can be used to remove all restrictions and permit any forwarding requests. By default all port forwarding requests are permitted.
- PermitTunnel - Specifies whether tun(4) device forwarding is allowed. The default is 'no'
- X11Forwarding - Specifies whether X11 forwarding is permitted. The default is 'no'

Applying the restrictions

Modifying the system-wide configuration file /etc/ssh/sshd_config allows the configuration be applied even if password-based authentication is applied or if the restrictions in ~/.ssh/authorized_keys are accidentally removed. If you've modified the global defaults, you should uncomment the options accordingly.

Match User limited-user
   #AllowTcpForwarding yes
   #X11Forwarding no
   #PermitTunnel no
   #GatewayPorts no
   AllowAgentForwarding no
   PermitOpen localhost:62222
   ForceCommand echo 'This account can only be used for [reason]'

Now add a user:

sudo useradd -m limited-user

The option ForceCommand can be omitted if the shell is set to a non-shell like /bin/false (or /bin/true) as /bin/false -c [command] won't do anything.

Now the client can only connect to port 62222 on the loopback address of the server over SSH (it will not listen on the public IP address)

Disabling AllowTcpForwarding would also disallow the use of -R, thus defeating the use of such a restricted account for forwarding a single port. PermitOpen localhost:62222 assumes that port 62222 on the server is never in use because the client can happily connect to it and listen on it too.

If TCP forwarding is allowed in the system-wide configuration and disabled password-based authentication, you can use per-key settings as well. Edit ~/.ssh/authorized_keys and add the next options before the ssh- (with a space between the options and ssh-):

command="echo 'This account can only be used for [reason]'",no-agent-forwarding,no-X11-forwarding,permitopen="localhost:62222"

Verify

To be sure that it works as expected, some test cases need to be run. In the below commands, host should be replaced by the actual login if it's not set in ~/.ssh/config. Behind the command, a command is shown that should be executed on either the client or server (as specified).

# connection closed:
ssh host
# connection closed (/bin/date is not executed):
ssh host /bin/date
# administratively prohibited (2x):
ssh host -N -D 62222 # client: curl -I --socks5 localhost:62222 example.com
ssh host -N -L 8080:example.com:80 # client: curl -I localhost:8080
sftp host
# should be possible because the client should forward his SSH server
ssh host -N -R 8080:example.com:80 # server: curl -I localhost:8080
# This works, it forwards the client SSH to the server
ssh host -N -R 62222:localhost:22
# unfortunately, the client can listen on that port too. Not a big issue
ssh host -N -L 1234:localhost:62222

Conclusion

Checklist: The SSH user should not able to:

execute shell commands - done
access files or upload files to the server - done
use the server as proxy (e.g. webproxy) - done
access local services which were otherwise not publicly accessible due to a firewall - partially, the client cannot access other ports than 62222, but can listen and connect to port 62222 on the server
kill the server - done (note that these checks are limited to the SSH server. If you've an other vulnerable service on the machine, it could allow a possible attacker to run commands, kill the server, etc. )

Ubuntu – Execute a command on local computer from a connected remote SSH host

@62mkv's answer is a much better solution. Use that.

For completeness and curiosity though, if you have an ssh server running on your local machine, you could create an ssh tunnel to allow ssh connections from the remote host on port 20202 back to the local one on port 22. Example command:

ssh -R20202:localhost:22 remoteuser@remotehost.com

This will start an ssh connection, but also set up a tunnel back to the ssh server running on your machine. Then you can do this, when ssh'ed into the remote host:

ssh -p 20202 localuser@localhost

Of course, this can quickly get confusing - especially if the technique is nested more than once. It adds a bit of latency, too - since everything you execute on your local machine is bounced through the remote host.

Additional information about ssh tunneling for those whose curiosity hasn't been satisfied yet can be found in answer to this unix stackexchange question.