Why I can't run ssh tunnel on startup?

Hi, I'm having trouble to establish reverse ssh tunnel from /etc/rc.local. SSH is either not executed, or fails silently. What is the catch?

root@openwrt:~# cat /etc/rc.local
# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.
sleep 10
ssh -NT -R 33333:localhost:22 -i /etc/config/private.key openwrt@ -p 3322 &
exit 0

The ssh tunnet is not established on reboot. However, when I ssh to router and run /etc/rc.local manually, it works

root@openwrt:~# /bin/ash /etc/rc.local
root@openwrt:~# ps | grep ssh
 1358 root      1144 S    ssh -NT -R 33333:localhost:22 -i /etc/config/private.key openwrt@ -p 3322
 1360 root      1208 R    grep ssh

When I execute some sh script or another command from /etc/rc.local (like "logger been here"), it works fine, just ssh does not and I don't know why and how to debug it. The idea is to use reverse ssh to be able to remotely manage network on non public ipv4. Everything works fine, I can connect to reverse tunnel until the router reboots. Thank you for help.

1 Like

Add debug/verbosity option on the command line and redirect the output to the file, then review it.


Thanks for the idea! Openwt's build of ssh does not have verbose or debug options, so I can't use -v, -vvvv etc, so I didn't know how to debug. But you led me to idea to pipe stderr "2>/tmp/ssherr.log"

root@openwrt:~# cat /tmp/ssherr.log

Host '' is not in the trusted hosts file.
(ssh-rsa fingerprint sha1!! xx:xx:xx:.......)
Do you want to continue connecting? (y/n) 
ssh: Connection to openwrt@ exited: Didn't validate host key

So the question is why ssh thinks it has not validated the host? Are the commands executed from rc.local executed as different user (not root), so it does not see the known_hosts? The host's key is validated and present in /root/.ssh/known_hosts. Can I force ssh to use this known_hosts file?

1 Like


maybe network is not up yet when rc.local is executed

try to add

ifconfig > /tmp/interfaces

in rc.local, so you could see which ones are up when rc.local is executed

I would try to delay the command execution like it was discussed here.
If you're concerned about the known_hosts file you could probably check this file in your script and store the result in the same log.


Thank you, guys. The network is up, it is not the problem. I actually tried to execute it from sh script "while true do ssh done" first, which I plan to use anyway, to handle network disconnections etc. But it never worked from rc.local. The reason is clear now, ssh executed from rc.local uses some different known_hosts. But how can I tell which one?

I came to temporary solution though. Openwrt's ssh build has -y parameter (instead of -o StrictHostKeychecking=no), which tells ssh to ignore authenticity of a host, but I'd rather do this securely. Any idea how?

Thanks guys for your help. I came to solution! :blush: First, I executed from rc.local "yes | ssh...." and looked what changed. Ssh created /.ssh/known_hosts on the device (yeah, indeed in the / folder). For reasons unknown to me, it uses this file. Now when I remove yes | ssh and reboot, I can execute normally and ssh uses this file for host checking. This file should persist across reboots till next firmware upgrade. Strange behaviour indeed. :roll_eyes:

1 Like

Yes, known issue of HOME not set correctly for the scripts.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.