Ssh – How to execute a command through SSH and keep the connection open

sshssh-tunneling

When I run

FOO=$(ssh -L 40000:localhost:40000 root@1.2.3.4 cat /foo)

I get the contents of /foo, but then it disconnects.

What I'd like to do is somehow get the content of /foo and keep the connection open so that port 40000 is still forwarded to the same server. Is this possible?

You might ask, why not just issue two ssh connections like this

FOO=$(ssh root@1.2.3.4 cat /foo)
ssh -L 40000:localhost:40000 root@1.2.3.4 -f -N

In my situation, the reason I can't do this is because the ip (1.2.3.4) is a load balancer that forwards the connection to a number of random backends. Each time I ssh to 1.2.3.4 I get a different machine, and the contents of /foo are different for every machine. Moreover, the data I send over the forwarded port (40000) depends on the contents of /foo. If I grab the contents of /foo on machine A and then sent data over port 40000 to machine B, things don't work.

Best Answer

What you are describing is known as SSH multiplexing.

I use that setup in a devops setting for caching my connections to any VMs.

In that way I reuse the same connection for up to 30 minutes/cache the connection, without renegotiating the entire SSH connection (and authenticating the user) in each new command.

It gives me an huge boost in speed, when sending (multiple) commands in a row to a VM/server.

The setup is done on the client side, and for a cache of 30 minutes, the setup can be done in /etc/ssh/ssh_config as:

ControlPath ~/.ssh/cm-%r@%h:%p
  ControlMaster auto
  ControlPersist 30m

The MaxSessions parameter, also in ssh_config also defines how many multiplexed connections simultaneous connections are allowed; the default value is 10. If you need more simultaneous cached connections, you might want to change it.

For instance, for a maximum of 20 cached connections:

MaxSessions 20

For more information, see OpenSSH/Cookbook/Multiplexing

An advantage of SSH multiplexing is that the overhead of creating new TCP connections is eliminated.
...
The second and later connections will reuse the established TCP connection >over and over and not need to create a new TCP connection for each new SSH connection.

Also see Using SSH Multiplexing

SSH multiplexing is the ability to carry multiple SSH sessions over a single TCP connection

Without multiplexing, every time that command is executed your SSH client must establish a new TCP connection and a new SSH session with the remote host. With multiplexing, you can configure SSH to establish a single TCP connection that is kept alive for a specific period of time, and SSH sessions are established over that connection. This can result in speed increases that can add up when repeatedly running commands against remote SSH hosts.

Lastly, as the multiplexing keeps the TCP connection open between the client and the server, you will have the guarantee that you are talking with the same machine in the load balancer, as long as the cache is open/active.

Related Solutions

Ssh – Work around two-factor SSH auth with Master connection and port forwarding

Quite an interesting problem you've got.

The real solution would be to ask your sysadmin for help first.

If that's not an option, the next best thing is to have pyCharm's libssh or whatever it uses (I did some googling and couldn't figure it out) parse your `~/.ssh/config'.

If that's not possible, you might be able to run your own ssh daemon on the remote host listening on the loopback address and connect to it with a local forward.

To setup an unprivileged ssh daemon (copied from a link on the SF answer):

  $ pwd
  /home/<USER>
  $ mkdir -p etc var/run
  $ cp /etc/sshd_config etc
  $ vi etc/sshd_config
  [Set `Port 2230']
  [Set `HostKey /home/<USER>/etc/ssh_host_rsa_key']
  [Set `UsePrivilegeSeparation no']
  [Set `PidFile /home/<USER>/var/run/sshd.pid']
  [:wq!]
  $ ssh-keygen -t rsa -f /home/<USER>/etc/ssh_host_rsa_key -N ''
  Generating public/private rsa key pair.
  Your identification has been saved in /home/<USER>/etc/ssh_host_rsa_key.
  Your public key has been saved in /home/<USER>/etc/ssh_host_rsa_key.pub.
  The key fingerprint is:
  02:5d:02:5d:e8:2e:c6:b9:4c:d9:93:6c:13:ef:5d:61 hein@vmbert2k8
  $ /usr/sbin/sshd -f /home/<USER>/etc/sshd_config -D

Now forward a local port to it (you will be logging in with 2fa here):

 ssh -L 2230:localhost:2230 example_com_master

And direct pyCharm to localhost:2230. You can also setup keypair auth on your custom sshd.

Note that this is a long shot, and your sysadmin may not appreciate it.

There's a big chance that pyCharm already uses OpenSSH for its ssh implementation. If that's so, adding multiplexing support to pyCharm would be way easier than the workaround I've proposed.

SSH session through jumphost via remote port forwarding

It looks like you should be using local port-forwarding instead of remote port-forwarding. You may want to refer to the following helpful blog post by Dirk Loss:

SSH port forwarding visualized

It includes the following illustrative diagram:

In order to read the diagram you need to know that it describes the relationships between 4 different roles involved in creating and utilizing an SSH tunnel:

an ssh client (i.e. ssh - the OpenSSH command-line client) used to establish the tunnel;
an ssh server (i.e. sshd - the OpenSSH server daemon) used to maintain the other end of the tunnel;
an application server (e.g. another ssh server or an http server);
an application client (e.g. another ssh client or a web-browser) which wants to access the application server via the tunnel.

It's also important to understand that the two different types of forwarding correspond to two different use cases:

Local Forwarding: where the application client connects via the ssh client
Remote Forwarding: where the application client connects via the ssh server

Remote forwarding is so called because the forwarding is performed remotely (at the ssh server) rather than locally (at the ssh client). I also find "remote forwarding = reverse forwarding" to be a useful mnemonic.

So as you can see, in order to initiate a connection from an ssh client at the origin host through an sshd server on a proxy jumphost to a third target host you would have to use local port-forwarding. Remote port-forwarding is for the case in which you want the entry point to the tunnel to be located at the host running the sshd server rather than at the host running the ssh client.

In the man page the local port-forwarding syntax is written as follows:

ssh -L [bind_address:]port:host:hostport user@remote

This can be written more intuitively as the following:

ssh -L [local_bind_address:]local_port:remote_host:remote_host_port user@proxy_host

Or, using your naming conventions:

ssh -L [origin_bind_address:]origin_port:target_host:target_host_port user@jump_host

If we modify your command to use local port-forwarding instead then we end up with the following:

user@origin:~$ ssh -L *:1234:target:22 myusername@jumphost

Best Answer

Related Solutions

Ssh – Work around two-factor SSH auth with Master connection and port forwarding

SSH session through jumphost via remote port forwarding

Related Question