How to keep reversed SSH tunnel alive and safe

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












I need to SSH to a computer that is behind a NAT. To this end a reverse SSH tunnel from that computer (with SSH server installed) is established to my publicly visible server (middleman.example.org):
ssh -f -N -T -R 9999:localhost:22 -p 7777 mm@middleman.example.org

Now in order for me to get to that computer from any place I do:
ssh -J mm@middleman.example.org:7777 -p 9999 user_behind_NAT@localhost



  1. I need to keep this tunnel alive for days or even weeks. I've heard about two ways to achieve this:
    (a) passing -o TCPKeepAlive=yes together with above mentioned options

    (b) use autossh instead of ssh

What is the difference between those two options? Which is better for which situation? Does it make sense to use both?



  1. As the sysadmin of middleman.example.org I don't want to trust this user behind a NAT and would like to limit the account mm as tough as possible. In the best case I would like to disable both interactive shell and even sftp, allowing only establishing reverse SSH connections (I myself will use my regular account to "jump" into the reverse tunnel). Is this possible somehow?






share|improve this question























    up vote
    0
    down vote

    favorite












    I need to SSH to a computer that is behind a NAT. To this end a reverse SSH tunnel from that computer (with SSH server installed) is established to my publicly visible server (middleman.example.org):
    ssh -f -N -T -R 9999:localhost:22 -p 7777 mm@middleman.example.org

    Now in order for me to get to that computer from any place I do:
    ssh -J mm@middleman.example.org:7777 -p 9999 user_behind_NAT@localhost



    1. I need to keep this tunnel alive for days or even weeks. I've heard about two ways to achieve this:
      (a) passing -o TCPKeepAlive=yes together with above mentioned options

      (b) use autossh instead of ssh

    What is the difference between those two options? Which is better for which situation? Does it make sense to use both?



    1. As the sysadmin of middleman.example.org I don't want to trust this user behind a NAT and would like to limit the account mm as tough as possible. In the best case I would like to disable both interactive shell and even sftp, allowing only establishing reverse SSH connections (I myself will use my regular account to "jump" into the reverse tunnel). Is this possible somehow?






    share|improve this question





















      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I need to SSH to a computer that is behind a NAT. To this end a reverse SSH tunnel from that computer (with SSH server installed) is established to my publicly visible server (middleman.example.org):
      ssh -f -N -T -R 9999:localhost:22 -p 7777 mm@middleman.example.org

      Now in order for me to get to that computer from any place I do:
      ssh -J mm@middleman.example.org:7777 -p 9999 user_behind_NAT@localhost



      1. I need to keep this tunnel alive for days or even weeks. I've heard about two ways to achieve this:
        (a) passing -o TCPKeepAlive=yes together with above mentioned options

        (b) use autossh instead of ssh

      What is the difference between those two options? Which is better for which situation? Does it make sense to use both?



      1. As the sysadmin of middleman.example.org I don't want to trust this user behind a NAT and would like to limit the account mm as tough as possible. In the best case I would like to disable both interactive shell and even sftp, allowing only establishing reverse SSH connections (I myself will use my regular account to "jump" into the reverse tunnel). Is this possible somehow?






      share|improve this question











      I need to SSH to a computer that is behind a NAT. To this end a reverse SSH tunnel from that computer (with SSH server installed) is established to my publicly visible server (middleman.example.org):
      ssh -f -N -T -R 9999:localhost:22 -p 7777 mm@middleman.example.org

      Now in order for me to get to that computer from any place I do:
      ssh -J mm@middleman.example.org:7777 -p 9999 user_behind_NAT@localhost



      1. I need to keep this tunnel alive for days or even weeks. I've heard about two ways to achieve this:
        (a) passing -o TCPKeepAlive=yes together with above mentioned options

        (b) use autossh instead of ssh

      What is the difference between those two options? Which is better for which situation? Does it make sense to use both?



      1. As the sysadmin of middleman.example.org I don't want to trust this user behind a NAT and would like to limit the account mm as tough as possible. In the best case I would like to disable both interactive shell and even sftp, allowing only establishing reverse SSH connections (I myself will use my regular account to "jump" into the reverse tunnel). Is this possible somehow?








      share|improve this question










      share|improve this question




      share|improve this question









      asked Apr 29 at 11:02









      user1876484

      438




      438

























          active

          oldest

          votes











          Your Answer







          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: false,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );








           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f440715%2fhow-to-keep-reversed-ssh-tunnel-alive-and-safe%23new-answer', 'question_page');

          );

          Post as a guest



































          active

          oldest

          votes













          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes










           

          draft saved


          draft discarded


























           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f440715%2fhow-to-keep-reversed-ssh-tunnel-alive-and-safe%23new-answer', 'question_page');

          );

          Post as a guest













































































          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Displaying single band from multi-band raster using QGIS

          How many registers does an x86_64 CPU actually have?