Hi, I'm having trouble to establish reverse ssh tunnel from /etc/rc.local. SSH is either not executed, or fails silently. What is the catch?
root@openwrt:~# cat /etc/rc.local
# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.
sleep 10
ssh -NT -R 33333:localhost:22 -i /etc/config/private.key openwrt@10.0.0.2 -p 3322 &
exit 0
The ssh tunnet is not established on reboot. However, when I ssh to router and run /etc/rc.local manually, it works
When I execute some sh script or another command from /etc/rc.local (like "logger been here"), it works fine, just ssh does not and I don't know why and how to debug it. The idea is to use reverse ssh to be able to remotely manage network on non public ipv4. Everything works fine, I can connect to reverse tunnel until the router reboots. Thank you for help.
Thanks for the idea! Openwt's build of ssh does not have verbose or debug options, so I can't use -v, -vvvv etc, so I didn't know how to debug. But you led me to idea to pipe stderr "2>/tmp/ssherr.log"
root@openwrt:~# cat /tmp/ssherr.log
Host '10.0.0.2' is not in the trusted hosts file.
(ssh-rsa fingerprint sha1!! xx:xx:xx:.......)
Do you want to continue connecting? (y/n)
ssh: Connection to openwrt@10.0.0.2:3322 exited: Didn't validate host key
So the question is why ssh thinks it has not validated the host? Are the commands executed from rc.local executed as different user (not root), so it does not see the known_hosts? The host's key is validated and present in /root/.ssh/known_hosts. Can I force ssh to use this known_hosts file?
I would try to delay the command execution like it was discussed here.
If you're concerned about the known_hosts file you could probably check this file in your script and store the result in the same log.
Thank you, guys. The network is up, it is not the problem. I actually tried to execute it from sh script "while true do ssh done" first, which I plan to use anyway, to handle network disconnections etc. But it never worked from rc.local. The reason is clear now, ssh executed from rc.local uses some different known_hosts. But how can I tell which one?
I came to temporary solution though. Openwrt's ssh build has -y parameter (instead of -o StrictHostKeychecking=no), which tells ssh to ignore authenticity of a host, but I'd rather do this securely. Any idea how?
EDIT:
Thanks guys for your help. I came to solution! First, I executed from rc.local "yes | ssh...." and looked what changed. Ssh created /.ssh/known_hosts on the device (yeah, indeed in the / folder). For reasons unknown to me, it uses this file. Now when I remove yes | ssh and reboot, I can execute normally and ssh uses this file for host checking. This file should persist across reboots till next firmware upgrade. Strange behaviour indeed.
First, I executed from rc.local "yes | ssh...." and looked what changed. Ssh created /.ssh/known_hosts on the device (yeah, indeed in the / folder). For reasons unknown to me, it uses this file. Now when I remove yes | ssh and reboot, I can execute normally and ssh uses this file for host checking. This file should persist across reboots till next firmware upgrade. Strange behaviour indeed. 