From 56f1fca381b9d022f69b5cfbeea81e12d12db5e7 Mon Sep 17 00:00:00 2001
From: Aaron Taylor <ataylor@subgeniuskitty.com>
Date: Sun, 2 May 2021 17:26:41 -0700
Subject: [PATCH] Added instructions for setting up reverse SSH tunnel to
 frostburg.SGK.

---
 data/notes/xeon_phi_server.md | 101 +++++++++++++++++++++++++++++++++-
 1 file changed, 100 insertions(+), 1 deletion(-)

diff --git a/data/notes/xeon_phi_server.md b/data/notes/xeon_phi_server.md
index 6682fb2..59156f4 100644
--- a/data/notes/xeon_phi_server.md
+++ b/data/notes/xeon_phi_server.md
@@ -772,8 +772,107 @@ Create the file `/etc/cron.d/status-emails` with the following contents.
     SHELL=/bin/bash
     0 0 * * 0 root /sbin/zpool status | echo -e "Subject:FROSTBURG: zpool status\n\n $(cat -)" | msmtp ataylor@subgeniuskitty.com
 
---------------------------------------------------------------------------------
 
+#### Public SSH Access ####
+
+Although frostburg is on a private subnet, I want public SSH access. The
+easiest way to set this up is via a reverse SSH tunnel to one of the public
+subgeniuskitty.com servers.
+
+This section refers to three machines:
+
+  - The **server** is frostburg.subgeniuskitty.com, a machine which we desire
+    to access across the internet despite residing on a private subnet.
+
+  - The **endpoint** is a server with public IP address which will serve as an
+    access portal for the *server*.
+
+  - The **client** is the human user's workstation, the machine which is
+    attempting to login to the *server* via the *endpoint*.
+
+First, setup appropriate login credentials on the *server*, which in this case
+is `frostburg.subgeniuskitty.com`.  Ignore any warnings about `/home/username`
+already existing or not being owned by the correct user. These are simply a
+side effect of using ZFS since we must create the homedir before adding the
+user, but we can't change ownership until after the new user exists.
+
+    server:~ # zfs create rpool/home/username
+    server:~ # adduser username
+    server:~ # cp -a /etc/skel/. /home/username
+    server:~ # chown -R username:username /home/username
+    server:~ # zfs snapshot rpoot/home/username@account_creation
+
+If necessary for the intended tasks, add the user to any relevant groups with
+something like the following command.
+
+    server:~ # usermod -a -G netdev,plugdev,sudo,video username
+
+The user will also need login credentials on the *endpoint*. These credentials
+don't need to allow anything other than simply SSHing through to the *server*.
+
+    endpoint:~ # adduser username
+
+With appropriate credentials successfully created, move on to setting up a
+reverse SSH tunnel from *server* to *endpoint*.
+
+First, create an SSH key on the *server* with no passphrase and authorize it
+for logins on the *endpoint*. This will be used to bring the tunnel up when the
+machine boots. If a non-empty passphrase is specified, you will need to type it
+during the boot process.
+
+    server:~ # ssh-keygen
+    server:~ # scp /root/.ssh/id_rsa.pub username@endpoint:/home/username/temp_key_file
+    server:~ # ssh username@endpoint
+        (login requires password)
+    endpoint:~ % mkdir -p /home/username/.ssh
+    endpoint:~ % mv /home/username/temp_key_file /home/username/.ssh/authorized_keys
+    endpoint:~ % logout
+    server:~ # ssh username@endpoint
+        (login does not require password)
+    endpoint:~ % logout
+    server:~ # mv /root/.ssh/id_rsa rtunnel_nopwd
+    server:~ # mv /root/.ssh/id_rsa.pub rtunnel_nopwd.pub
+
+Next, create the tunnel using AutoSSH to maintain a long-term connection.
+
+    server:~ # apt-get install autossh
+    server:~ # vi /etc/systemd/system/autossh-tunnel.service
+        [Unit]
+        Description=AutoSSH tunnel between frostburg.SGK and www.SGK
+        After=network-online.target
+        
+        [Service]
+        Environment="AUTOSSH_GATETIME=0"
+        ExecStart=/bin/autossh -N -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -i /root/.ssh/rtunnel_nopwd -R 4242:localhost:22 username@endpoint
+        
+        [Install]
+        WantedBy=multi-user.target
+    server:~ # systemctl daemon-reload
+    server:~ # systemctl start autossh-tunnel.service
+    server:~ # systemctl enable autossh-tunnel.service
+
+At this point the SSH tunnel is operational. Let's make things a little easier
+for the user by storing most of the config options in an SSH config file.
+
+    endpoint:~ # su - username
+    endpoint:~ % vi /home/username/.ssh/config
+        Host server
+            Hostname localhost
+            User     username
+            Port     4242
+
+Now, when we execute `ssh server`, it is equivalent to the command
+`ssh -p 4242 username@localhost`, much easier to remember.
+
+It's time to test everything out. Starting from the *client*, you should now be
+able to login to the *server* via the *endpoint*.
+
+    client:~ % ssh username@endpoint
+    endpoint:~ % ssh server
+    server:~ %
+
+
+--------------------------------------------------------------------------------
 
 ## Xeon Phi Kernel Module ##
 
-- 
2.20.1