|AUTOSSH(1)||General Commands Manual||AUTOSSH(1)|
autosshis a program to start a copy of ssh and monitor it, restarting it as necessary should it die or stop passing traffic. The original idea and the mechanism were from rstunnel (Reliable SSH Tunnel). With version 1.2 of
autosshthe method changed:
autosshuses ssh to construct a loop of ssh forwardings (one from local to remote, one from remote to local), and then sends test data that it expects to get back. (The idea is thanks to Terrence Martin.) With version 1.3, a new method is added (thanks to Ron Yorston): a port may be specified for a remote echo service that will echo back the test data. This avoids the congestion and the aggravation of making sure all the port numbers on the remote machine do not collide. The loop-of-forwardings method remains available for situations where using an echo service may not be possible.
autosshtries to distinguish the manner of death of the ssh process it is monitoring and act appropriately. The rules are:
autosshexits rather than restarting;
autosshitself receives a SIGTERM, SIGINT, or a SIGKILL signal, it assumes that it was deliberately signalled, and exits after killing the child ssh process;
autosshitself receives a SIGUSR1 signal, it kills the child ssh process and starts a new one;
autosshattempts to pass traffic on the monitor forwarded port. If this fails,
autosshwill kill the child ssh process (if it is still running) and start a new one;
autosshwill attempt to start a new one.
autosshassumes that it never made it "out of the starting gate", and exits. This is to handle initial failed authentication, connection, etc. This time is 30 seconds by default, and can be adjusted (see the AUTOSSH_GATETIME environment variable below). If AUTOSSH_GATETIME is set to 0, then both behaviours are disabled: there is no "starting gate", and autossh will restart even if ssh fails on the first run with an exit status of 1. The "starting gate" time is also set to 0 when the
-fflag to autossh is used.
autosshwill start delaying its attempts to restart, gradually backing farther and farther off up to a maximum interval of the
autosshpoll time (usually 10 minutes).
autosshcan be "prodded" to retry by signalling it, perhaps with SIGHUP ("kill -HUP").
autosshrequires that some form of automatic authentication be set up. The use of RSAAuthentication with ssh-agent is the recommended method. The example wrapper script attempts to check if there is an agent running for the current environment, and to start one if there isn't. It cannot be stressed enough that you must make sure ssh works on its own, that you can set up the session you want before you try to run it under
autosshIf you are tunnelling and using an older version of ssh that does not support the
-Nflag, you should upgrade (your version has security flaws). If you can't upgrade, you may wish to do as rstunnel does, and give ssh a command to run, such as "sleep 99999999999".
autosshwill send test data on the base monitoring port, and receive it back on the port above. For example, if you specify "-M 20000",
autosshwill set up forwards so that it can send data on port 20000 and receive it back on 20001. Alternatively, a port for a remote echo service may be specified. This should be port 7 if you wish to use the standard inetd echo service. When an echo port is specified, only the specified monitor port is used, and it carries the monitor message in both directions. Many people disable the echo service, or even disable inetd, so check that this service is available on the remote machine. Some operating systems allow one to specify that the service only listen on the localhost (loopback interface), which would suffice for this use. The echo service may also be something more complicated: perhaps a daemon that monitors a group of ssh tunnels. Setting the monitor port to 0 turns the monitoring function off, and autossh will only restart ssh upon ssh's exit. For example, if you are using a recent version of OpenSSH, you may wish to explore using the
ServerAliveCountMaxoptions to have the SSH client exit if it finds itself no longer connected to the server. In many ways this may be a better solution than the monitoring port.
-fflag is stripped from arguments passed to ssh. Note that there is a crucial difference between
-fwith autossh, and
-fwith ssh: when used with
autosshssh will be unable to ask for passwords or passphrases. When
-fis used, the "starting gate" time (see AUTOSSH_GATETIME) is set to 0.
autosshto display its version number and exit.
autosshuses environment variables to control features. ssh seems to be still collecting letters for options, and this seems the easiest way to avoid collisions.
autosshshould use the named log file, rather than syslog.
ExitOnForwardFailure=yeson the client side to make sure forwardings have succeeded when autossh assumes the connection is setup properly.
ClientAliveIntervalon the server side to make sure the listening socket is closed on the server side if the connection closes on the client side.
autosshwas written by Carson Harding. ssh(1), ssh_config(5,) sshd_config(5,) ssh-add(1), ssh-agent(1), ssh-keygen(1), cygrunsrv(1).
|March 18, 2018||x86_64|