Ssh – How to configure such that I can always SSH to the system over the internet on a dynamic IP

networkingssh

Basically I want to be able to do something like teamviewer, where regardless of what the network configuration is, as long as both my ssh server (Machine A) and ssh client (Machine B) have internet access (and some 3rd server, Machine C), I can gain access – the reason for this is I want to be able to move machine A around, plug it in to power, have it auto-connect to one of several pre-configured wifi networks (each one unique/different), without having configured port-forwarding or similar on the networks, and be able to log into it via the internet from Machine B

How can I accomplish this? I don't mind setting something up on a server with a static IP address for helping out with the handshake, but I also don't mind a 3rd party server either if something already exists (like it does for say teamviewer)

edit for clarity: I have 3 machines, A B and C

A is a headless raspberry pi that will be powered on/off in random locations, connect to a pre-confiugred wifi network

B is the machine with a proper monitor, keyboard, etc. that I want to connect from

C is a rented AWS server that I have with a static IP address, can reliably SSH in from B, and can install whatever is necessary to help B connect to A

Best Answer

As you have the machine C on the internet, make a special account there named sesame, and on A you make an account with a public/private key from which you have copied the public key to the sesame account on C.

You can now login from A to C, but instead of doing that you do:

ssh -N -R 19930:localhost:22 sesame@yourserverC

( you might want to combine this with a sleep statement or e.g. 10 seconds and wrap this in a endless loop so the connection is re-established if WiFi down caused it to break )

From machine B, normally login to whatever account you have on C (can be but doesn't have to be the sesame account, different accounts is what I use). And once you are on C, login to A using:

ssh localhost -p 19930

You can of course use a different number than 19930.

It is possible to run the ssh -N -R ... from /etc/rc.local if your private key on A is not password protected. In that case make sure to make sesame a separate account with limited functionality, so that when your machine A gets compromised/stolen, the risk for your server C is limited. That is also why I recommend use a separate account to get from B to C.

You can actually set the login shell for sesame in /etc/passwd to /bin/false, so you can no longer use the account for login.

Related Solutions

Ssh – How to configure SSH so that OTP can be used with ssh-copy-id and then only keypair authorization is accepted

Public key authentication is turned on by default and has higher priority then password authentication (handled by PAM or directly).

You can set up in sshd_config option UsePAM yes (by default on Red Hat), which will defer authentication to PAM -- this is configured in /etc/pam.d/sshd (can differ a bit on some systems).

For OTP you can use google_authenticator, or some other open implementation of one-time passwords. There are many how-to's around here. You can try to search for two-factor authentication, but basically it is adding one line like this

 auth            required        pam_google_authenticator.so

in the /etc/pam.d/sshd and do some configuration: Arch has nice instruction for this: https://wiki.archlinux.org/index.php/Google_Authenticator

Using only one-time passwords, without the second factor can be potential risk if the one-time password or token gets lost -- I recommend you not to go this way and implement rather the two factor authentication than only one-time password.

Best Answer

Related Solutions

Ssh – How to configure SSH so that OTP can be used with ssh-copy-id and then only keypair authorization is accepted

Related Question