As you have the machine C on the internet, make a special account there named sesame
, and on A you make an account with a public/private key from which you have copied the public key to the sesame
account on C.
You can now login from A to C, but instead of doing that you do:
ssh -N -R 19930:localhost:22 sesame@yourserverC
( you might want to combine this with a sleep statement or e.g. 10 seconds and wrap this in a endless loop so the connection is re-established if WiFi down caused it to break )
From machine B, normally login to whatever account you have on C (can be but doesn't have to be the sesame
account, different accounts is what I use). And once you are on C, login to A using:
ssh localhost -p 19930
You can of course use a different number than 19930.
It is possible to run the ssh -N -R ...
from /etc/rc.local
if your private key on A is not password protected. In that case make sure to make sesame
a separate account with limited functionality, so that when your machine A gets compromised/stolen, the risk for your server C is limited. That is also why I recommend use a separate account to get from B to C.
You can actually set the login shell for sesame
in /etc/passwd
to /bin/false
, so you can no longer use the account for login.
Best Answer
Enable one of the SSH keepalive messages, for example by enabling
TCPKeepAlive
orClientAliveInterval
in the server's sshd config.Similarly, in the client config you can use
TCPKeepAlive
andServerAliveInterval
.TCPKeepAlive
used to just beKeepAlive
, if you have an old version of OpenSSH.TCP keepalives are a feature that is part of TCP, and operates outside the encrypted tunnel built by SSH. So someone could, for example, spoof them to pretend the connection is still open when it isn't.
ClientAlive/ServerAlive operates inside the encrypted tunnel, so it can't be spoofed (but I believe it's a new option, and of course costs more CPU time).