Automatically start ssh sessions on login

Asked by tdn on 2010-02-05

Hi

I use Kubuntu 9.10.

I am frequently away from my office network. So I use OpenSSH to create a SOCKS proxy to one of the edge servers at the office: ssh -D 3080 myoffice.example.com. Then I have configured the few applications that need access to this network to use a SOCKS proxy: localhost:3080.

This works just fine. However, I would like to have this SSH session set up automatically when I log in. This should be easy enough: create a shellscript that sets up the connection, put a link in ~/.kde/Autostart that points to this shellscript... The problem is though that I use an encrypted SSH key. So I have also put this python-script in Autostart:
http://thomasdamgaard.dk/paste/P1476.html
(the script opens an input box where I input my ssh key passphrase, and then it sets up ssh-agent with my key)

So, if I just start the ssh session on login, ssh will ask for my ssh key passphrase (because I have not entered it yet).

What I would like help on is this:
1: How do I have the ssh session set up automatically, when I have logged in AND I have added my ssh key to ssh-agent?
2: How do I make sure this is only done, when I am outside of the office network (if I am already at the office, this is not necessary)?
3: How do I make the ssh session start up again, if it is brought down for some reason (e.g. if I suspend the laptop or the network access is temporarily down)?

I am looking forward to hearing your input.

Thanks.

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu openssh Edit question
Assignee:
No assignee Edit question
Solved by:
tdn
Solved:
2010-02-09
Last query:
2010-02-09
Last reply:
2010-02-09

This question was reopened

  • 2010-02-07 by tdn
tdn (spam-thomasdamgaard) said : #1

I would just like to add that the reason I do not use VPN for this is that it is not all applications that need to go though the office network. It would be horribly slow if I needed to have all my web browsing and such go through the office network, when I am traveling far away.

A. Denton (aquina) said : #2

1] Check which parameters ssh-agent allows and add them to your shellscript if applicable. Honestly I never tried that since all solutions for the problem you have right now still result in having to enter a password. In other words you gained nothing. I enter my password on the shell. So what makes your solution superior to mine? A graphical box where you enter your password?

2] Add some lines of code which check for some server or gateway within your current network. Check for a combination of hostnames, gatway IP, your hostmask, etc. to detect here you actually are. In case you want more security and accuracy you need some hardware devce (GPS) to check your position. The result data can be used by your shell script as well.

3] You have to reauthenticate with your password *except* you use tools like ssh-agent. I had some problems in the past with ssh-agent not working correctly though. In case you're a good coder write a C-Program which intercepts the communication with the ssh server and buffers the password.

Maybe someone out there already solved these problems.

tdn (spam-thomasdamgaard) said : #3

Aquina, thanks for your reply.

1) I like having a GUI box to enter passphrase, when I log in to X.

I came up with this solution:

I created an extra key pair for this purpose only. Put the public key in the authorized_keys on the server at the office.
Then I created a shellscript in Autostart which runs:
curl --connect-timeout 1 http://10.1.0.30/ews/index.htm |grep 'Dell Color Laser 3110cn' || nice ssh -D 3080 -i id_rsa_tunnel_key office.sikkerhed.org

10.1.0.30 is one of the printers at the office. So if curl | grep printername returns true, then the ssh session will not be created.

Then I only need the ssh-session to automatically reconnect if it gets disconnected. I think I can use autossh for this, but not sure yet.

A. Denton (aquina) said : #4

So if curl | grep printername returns true, then the ssh session will not be created. -- Why?

tdn (spam-thomasdamgaard) said : #5

Aquina, because then I am at the office. Thus, the ssh session is not needed.

I have found another problem though: the session should only be starter *after* a network connection has been brought up. (By KNetworkManager)
Any suggestions as to how I detect this?

A. Denton (aquina) said : #6

I would try something like:

var001=$(sudo ifconfig -a | grep eth0)

if [ -z "var001" ]; then
    echo "Inteface up."
    // exec ssh connection here...
else
    echo "Interface down."
    // escape strategy here...
fi

tdn (spam-thomasdamgaard) said : #7

Aquina, sudo requires that the user enters password. I would like this to be run automatically in the background. Also, ifconfig -a gives me *all* devices. Including those that aren't up. Further, I do not know which interface that is up. It can be both eth0 or the wireless card, wlan0. If I have net on just one of them, the session should be brought up.

I have something like this in mind (pseudo code):
while true {
  if network_is_up() {
    curl --connect-timeout 1 http://10.1.0.30/ews/index.htm |grep 'Dell Color Laser 3110cn' || nice ssh -D 3080 -i ~/acct/keys/id_rsa_tunnel_key office.sikkerhed.org
  }
  sleep 30
}

I am just not sure how to implement network_is_up().

tdn (spam-thomasdamgaard) said : #8

Come to think of it, maybe there is a way to ask KNetworkManager if network is up?

A. Denton (aquina) said : #9

the user has to enter a password for sudo and (optional) one for SSH authentication. What's the problem with that? In case you want to check only active devices try »ifconfig« without sudo and -a. That should work ether. In case it can be eth0 or wlan0 check both and write some shellcode. Maybe you have to learn scripting first. But that's *not* stuff for a Launchpad question!

tdn (spam-thomasdamgaard) said : #10

The problem with asking for password is that this requires interactivity. I would like this to just run in the background.

I will try to figure out how to script my way out of asking ifconfig for the state of the interfaces. However, I think it would be easier to ask KNetworkManager, if there is a way to do this? In the old KDE, I could probably have asked via DCOP.

Why is scripting off-topic on Launchpad?

A. Denton (aquina) said : #11

You were asking in Ubuntu openssh package. That's the reason why.

tdn (spam-thomasdamgaard) said : #12

Ok. Fair enough. I did not know this was asked to the openssh package. I thought I asked it as a general question.