+
+#### Public SSH Access ####
+
+Although frostburg is on a private subnet, I want public SSH access. The
+easiest way to set this up is via a reverse SSH tunnel to one of the public
+subgeniuskitty.com servers.
+
+This section refers to three machines:
+
+ - The **server** is frostburg.subgeniuskitty.com, a machine which we desire
+ to access across the internet despite residing on a private subnet.
+
+ - The **endpoint** is a server with public IP address which will serve as an
+ access portal for the *server*.
+
+ - The **client** is the human user's workstation, the machine which is
+ attempting to login to the *server* via the *endpoint*.
+
+First, setup appropriate login credentials on the *server*, which in this case
+is `frostburg.subgeniuskitty.com`. Ignore any warnings about `/home/username`
+already existing or not being owned by the correct user. These are simply a
+side effect of using ZFS since we must create the homedir before adding the
+user, but we can't change ownership until after the new user exists.
+
+ server:~ # zfs create rpool/home/username
+ server:~ # adduser username
+ server:~ # cp -a /etc/skel/. /home/username
+ server:~ # chown -R username:username /home/username
+ server:~ # zfs snapshot rpoot/home/username@account_creation
+
+If necessary for the intended tasks, add the user to any relevant groups with
+something like the following command.
+
+ server:~ # usermod -a -G netdev,plugdev,sudo,video username
+
+The user will also need login credentials on the *endpoint*. These credentials
+don't need to allow anything other than simply SSHing through to the *server*.
+
+ endpoint:~ # adduser username
+
+With appropriate credentials successfully created, move on to setting up a
+reverse SSH tunnel from *server* to *endpoint*.
+
+First, create an SSH key on the *server* with no passphrase and authorize it
+for logins on the *endpoint*. This will be used to bring the tunnel up when the
+machine boots. If a non-empty passphrase is specified, you will need to type it
+during the boot process.
+
+ server:~ # ssh-keygen
+ server:~ # scp /root/.ssh/id_rsa.pub username@endpoint:/home/username/temp_key_file
+ server:~ # ssh username@endpoint
+ (login requires password)
+ endpoint:~ % mkdir -p /home/username/.ssh
+ endpoint:~ % mv /home/username/temp_key_file /home/username/.ssh/authorized_keys
+ endpoint:~ % logout
+ server:~ # ssh username@endpoint
+ (login does not require password)
+ endpoint:~ % logout
+ server:~ # mv /root/.ssh/id_rsa rtunnel_nopwd
+ server:~ # mv /root/.ssh/id_rsa.pub rtunnel_nopwd.pub
+
+Next, create the tunnel using AutoSSH to maintain a long-term connection.
+
+ server:~ # apt-get install autossh
+ server:~ # vi /etc/systemd/system/autossh-tunnel.service
+ [Unit]
+ Description=AutoSSH tunnel between frostburg.SGK and www.SGK
+ After=network-online.target
+
+ [Service]
+ Environment="AUTOSSH_GATETIME=0"
+ ExecStart=/bin/autossh -N -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -i /root/.ssh/rtunnel_nopwd -R 4242:localhost:22 username@endpoint
+
+ [Install]
+ WantedBy=multi-user.target
+ server:~ # systemctl daemon-reload
+ server:~ # systemctl start autossh-tunnel.service
+ server:~ # systemctl enable autossh-tunnel.service
+
+At this point the SSH tunnel is operational. Let's make things a little easier
+for the user by storing most of the config options in an SSH config file.
+
+ endpoint:~ # su - username
+ endpoint:~ % vi /home/username/.ssh/config
+ Host server
+ Hostname localhost
+ User username
+ Port 4242
+
+Now, when we execute `ssh server`, it is equivalent to the command
+`ssh -p 4242 username@localhost`, much easier to remember.
+
+It's time to test everything out. Starting from the *client*, you should now be
+able to login to the *server* via the *endpoint*.
+
+ client:~ % ssh username@endpoint
+ endpoint:~ % ssh server
+ server:~ %
+
projects / website_subgeniuskitty.com / blobdiff