Autossh – automatically restart SSH sessions and tunnels

If you have systemd, you could do this:<p><pre><code> [Unit] Description=look ma, no autossh After=network.target [Service] Type=exec ExecStart=&#x2F;usr&#x2F;bin&#x2F;ssh -o ServerAliveInterval=60 -o ExitOnForwardFailure=yes -Nn -R 7070:localhost:22 pc &#x27;sleep 20m&#x27; Restart=always RestartSec=20 RuntimeMaxSec=30m [Install] WantedBy=default.target</code></pre>

14 years ago, i was using auto ash to keep SSH tunnels up; but at some point (quite far back - perhaps 2016?) ssh gained everything needed to do this internally <i>except</i> the restart.<p>At this point I configure all of the keep alive and retry options in ssh_config and sshd_config, and use<p><pre><code> While true; do ssh user@host ; sleep 10; done </code></pre> To get the same effect, but with much more flexibility - e.g. alternating connection addresses on a multihomed host, add logging, run from daemontools or systemd unit instead of a loop and let them track the process and restart, etc.

Curious what advantages this has over mosh?<p><a href="https:&#x2F;&#x2F;mosh.org&#x2F;" rel="nofollow">https:&#x2F;&#x2F;mosh.org&#x2F;</a>

If your concern is to have secure tunnels between hosts, you should probably use spiped rather than SSH, since it uses a separate TCP connection for each pipe -- this avoids the &quot;connection dropped&quot; problem and also the &quot;multiplexing many connections over one TCP connection&quot; performance hit.<p>Also, spiped is way simpler and more secure than SSH. (On my servers, I tunnel SSH over spiped, to protect the sshd from attacks.)

Per <a href="https:&#x2F;&#x2F;github.com&#x2F;Autossh&#x2F;autossh&#x2F;issues&#x2F;7">https:&#x2F;&#x2F;github.com&#x2F;Autossh&#x2F;autossh&#x2F;issues&#x2F;7</a> this is <i>not</i> upstream - that would be <a href="https:&#x2F;&#x2F;www.harding.motd.ca&#x2F;autossh&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.harding.motd.ca&#x2F;autossh&#x2F;</a>

For web-servers on remote machines, I have found this useful:<p><pre><code> socat TCP4-LISTEN:1234,fork,bind=127.0.0.1 EXEC:&#x27;ssh my.remote.server nc 127.0.0.1 1234&#x27; </code></pre> 1234 = local&#x2F;remote port. Can be adapted to use unix sockets at the remote end. my.remote.server = your remote server address.<p>This will set up a tunnel only when needed, and seems to play nicely with my browser.

I&#x27;ve used autossh to have a reverse tunnel open connection back to my work desktop, IT never found it and I had that in place for year

The last time I used autossh it was on a client site to keep 2 layers of ssh tunnels open to jump through their network isolation hoops.<p>In general, when flexibility is possible, such a use-case nowadays would often be better served by deploying WireGuard. Grouchy, out-of-touch corporate net admins probably don&#x27;t even know what it is and insist on their antiquated Cisco VPNs.

I used to be a happy user of `autossh` until 2023. I used it on Cygwin on Windows and was quite happy how reliably it set up my tunnels (upon tunnels) in a flaky corporate network. `autossh` worked reliable compared to `ssh`s many timeout options.<p>I would still recommend it.

I’d recommend <a href="https:&#x2F;&#x2F;eternalterminal.dev&#x2F;" rel="nofollow">https:&#x2F;&#x2F;eternalterminal.dev&#x2F;</a>, compared to mosh(poor colors support), this is the only thing that manages to consistently keep up my ssh sessions.

Wouldn’t ssh with systemd or auto ssh be a more secure means of remote access to apps (like http&#x2F;https apps) than the zero trust network access solutions (like Cloudflare Tunnels which terminates the TLS) or even Tailscale (which should be a trusted third party)?<p>You set up public key authentication with SSH to a reverse proxy, a persistent tunnel, and a socks proxy. In a Firefox profile, you set localhost:port. Done! All your services are available in that browser all the time.<p>Autossh with a reverse ssh tunnel can also be used to expose an internal service to the Internet through a VPS.<p>SSH has been very secure over the decades. A good feature of SSH is that it can jump from host to host, unlike VPN.

May I suggest a tool built for application level portals instead?<p><a href="https:&#x2F;&#x2F;github.com&#x2F;build-trust&#x2F;ockam">https:&#x2F;&#x2F;github.com&#x2F;build-trust&#x2F;ockam</a><p>One binary, easy to use, no ssh getting stuck! (yep, I work at Ockam :)

Not 100% the same use case as autossh was built for maybe, but I&#x27;m now simply throwing tailscale on every box i need to interact with. Does away with all the port forwarding stuff, it&#x27;s absolutely delightful.

autossh is nice but the default options suck. I have to do something like this for it to work well<p><pre><code> autossh -f -N -o ServerAliveCountMax=2 -o ServerAliveInterval=5 -o ConnectTimeout=5 -o BatchMode=yes [...]</code></pre>

Sometime back, I had a rapsberry pi connected to wired network of a coworking space. I remember using autossh to keep a tunnel open with one of my VPS. Mainly used it as a torrent box. I added magnet links through qbittorrent webui installed on raspberry pi. Qbittorrent was configured to only run at night time to not cause issues for business work. Downloaded all sort of things easily reaching thousands of GBs throughout my time there. They never found out. Or they didn&#x27;t care to look. Good times.

Rather than using AutoSSH for port forwarding and such, I just create a systemd unit with a restart policy. Then you don&#x27;t need autossh at all, just use ssh.

I used to use autossh to set up a SOCKS proxy to tunnel my web browser traffic via my home network and it worked really well. Also had a ControlMaster on the tunnel which made SSH connections to my server instantaneous.<p>Nowadays I use wireguard an a dedicated SOCKS proxy. The upside is that I can access everything on my home network directly without having to tunnel.

Nice tool, but I&#x27;m getting tired of using port numbers for everything instead of more descriptive strings. My system has more than 10 tunnels and servers running, and since I only do sysadmin work once every half year or so, the port numbers are very cumbersome to deal with.

I use this to set up reverse tunnels, for example to set up MongoDB replica sets which sync through SSH. It kind of simplifies the security aspect of replica sets a bit, since then MongoDB does not need to be exposed to the internet and no VPN setup is needed.

How is this different from this<p><pre><code> ssha () { while true do ssh &quot;$@&quot; sleep 1 done true } </code></pre> EDIT: Oh I think I know, autossh must be detecting when the connexion is closed but ssh does not automatically…

Use stunnel for non-interactive tunneling over TLS.<p>It is much more straightforward than ssh for this purpose, and works well with socket activation under systemd.<p>I use it with the systemd automounter to encrypt NFSv4, and I have found it to be quite reliable.

I used autossh to do terrible things securing redis back in 2013. Fantastic tool.

Can’t recommend… just loop ssh.<p>I’ve run autossh for quite some time but it was not reliable enough under my conditions

I used autossh to access hundreds of on prem client machines via a reverse SSH tunnel. Never failed me!

Why SSH does not do this by default? Why the average Joe wants his SSH session to timeout?

Is there anything like this but for `kubectl port-forward`?

mosh