Hello community, here is the log from the commit of package autossh for openSUSE:Factory checked in at 2015-05-11 19:39:20 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/autossh (Old) and /work/SRC/openSUSE:Factory/.autossh.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "autossh" Changes: -------- --- /work/SRC/openSUSE:Factory/autossh/autossh.changes 2014-12-21 12:04:21.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.autossh.new/autossh.changes 2015-05-11 19:49:21.000000000 +0200 @@ -1,0 +2,15 @@ +Fri Apr 24 21:08:10 UTC 2015 - [email protected] + +- change autossh.service content to reflect it is a READONLY file. +- change the install line for autossh.service to: +%__install -D -m 444 %{S:3} %{buildroot}%{_unitdir}/[email protected] + * This has 2 big changes. First the permissions are 444, so READONLY. + * Second, note the @ char in the target name. + This makes it an instantiated service file +- add a sample my.conf override file +- add a README.SUSE.md file that: + * explains how to use systemd instantiated service + * how to use the override file + * a full walkthru of how to setup a reverse tunnel + +------------------------------------------------------------------- New: ---- README.SUSE.md my.conf ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ autossh.spec ++++++ --- /var/tmp/diff_new_pack.h0oEZ4/_old 2015-05-11 19:49:21.000000000 +0200 +++ /var/tmp/diff_new_pack.h0oEZ4/_new 2015-05-11 19:49:21.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package autossh # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -15,6 +15,7 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # + %if 0%{?suse_version} > 1220 %define with_systemd 1 %else @@ -33,6 +34,8 @@ Source1: autossh.init Source2: autossh.conf Source3: autossh.service +Source4: my.conf +Source5: README.SUSE.md Patch0: autossh-makefile-destdir.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -58,6 +61,8 @@ %prep %setup %patch0 -p1 +cp %{S:4} . +cp %{S:5} . %build %configure @@ -67,7 +72,7 @@ %makeinstall %__mkdir_p %{buildroot}%{_sbindir} %if %{with_systemd} -%__install -D -m 755 %{S:3} %{buildroot}%{_unitdir}/autossh.service +%__install -D -m 444 %{S:3} %{buildroot}%{_unitdir}/[email protected] ln -s /usr/sbin/service %{buildroot}%{_sbindir}/rcautossh %else %__install -D -m 755 %{S:1} %{buildroot}%{_initrddir}/autossh @@ -101,11 +106,11 @@ %files %defattr(-, root, root, 0755) -%doc CHANGES README +%doc CHANGES README README.SUSE.md my.conf %doc autossh.host rscreen %{_bindir}/autossh %if %{with_systemd} -%{_unitdir}/%{name}.service +%{_unitdir}/%{name}@.service %else %{_initrddir}/autossh /var/adm/fillup-templates/sysconfig.autossh ++++++ README.SUSE.md ++++++ This README is written in markdown format. The retext editor in "preview" mode is one method of viewing it properly. Anyone editing this document should verify it displays properly in retext preview mode before submitting changes. # autossh autossh is designed to let you setup both normal encrypted and reverse encrypted tunnels. ## autossh with systemd To use autossh as a systemd service the following MUST be done at a minimum: autossh is an "instantiated" service with systemd meaning you can instantiate it multiple times in order to create multiple tunnels The below is psuedo code that shows what YOU need to do. The values for my_tunnel should be whatever you desire them to be for (my_tunnel in ssh http imap pop) { > sytemctl enable autossh@${my-tunnel}.service > mkdir /etc/systemd/system/autossh@${my-tunnel}.service.d cp /usr/share/doc/packages/autossh/my.conf /etc/systemd/system/autossh@${my-tunnel}.service.d edit /etc/systemd/system/autossh@${my-tunnel}.service.d/my.conf to reflect your needs > sytemctl start autossh@${my-tunnel}.service } The author of this README only uses autossh for reverse tunnels, so see the below reverse tunnels description for detailed instructions of that usage. ## autossh to create reverse encrypted tunnels This README supplements the above. You should read and understand the instructions in the above before reading these. These are detailed steps you must do to actually use autossh in openSUSE. ### Reverse tunnel overview autossh is designed to let you setup both normal encrypted and reverse encrypted tunnels. With a reverse encrypted tunnel you can, as an example, have a machine behind a NAT firewall expose a ssh listening port by tunneling it through a well known server to a public facing port on the internet. This README is setup to expose port 22 (the ssh port) of a target openSUSE PC to the world by opening a port 2222 tunnel port on a public facing openSUSE server in the cloud. It is assumed port 2222 will be where ssh clients will connect to. Those connections will be forwarded via the ssh reverse tunnel to port 22 on the target PC hidden behind the firewall. ### Step one goal >From the target openSUSE PC ensure root can issue a ssh command to your public >openSUSE server and not have a password be requested. ssh -i /root/.ssh/id_rsa.autossh [email protected] autossh can be any user account on both the target and public servers, but it is recommended it be one dedicated to providing tunnels and not allow interactive login. my.cloud.server => replace with the fqdn of your public server. ### Step one on the public (cloud) PC: > sudo /usr/sbin/useradd -m autossh (or other as you desire) <br> sudo passwd autossh # set a tempory password on the target PC: > sudo /usr/sbin/useradd -m autossh (or other as you desire) <br> > sudo passwd autossh # set a tempory password <br> > start a command line as autossh (or su - autossh) <br> > ssh-keygen (take defaults for all questions) <br> > scp /home/autossh/.ssh/id_rsa.pub [email protected]:id_rsa.pub <br> > ssh [email protected] <br> >> (accept the cert and enter password) <br> mkdir .ssh <br> cat id_rsa.pub >> .ssh/authorized_keys <br> rm id_rsa.pub <br> logout > ssh [email protected] <br> >> (password should not be required) >> logout > sudo cp /home/autossh/.ssh/id_rsa /root/.shh/id_rsa.autossh <br> > sudo ssh -i /root/.ssh/id_rsa.autossh [email protected] <br> >> (password should not be required) >> logout ### Step two on the public (cloud) PC: > sudo /usr/sbin/usermod -s /sbin/nologin autossh on the target PC: > test that ssh connects, but the connection is immediately closed <br> sudo ssh -i /root/.ssh/id_rsa.autossh [email protected] ### Step three Assuming you are using systemd: on the target PC: > sudo systemctl enable [email protected] <br> > sudo mkdir /etc/systemd/system/[email protected] <br> > sudo cp /usr/share/doc/packages/autossh/my.conf > /etc/systemd/system/[email protected] <br> > sudo vi /etc/systemd/system/[email protected]/my.conf >> replace ExecStart line with: >>ExecStart=/usr/bin/autossh -i /root/.ssh/id_rsa.autossh -M 0 -NR >>*:2222:localhost:22 -o TCPKeepAlive=yes [email protected] >> and of course replace the server name. >>fyi: this command says <br> * - On the public facing server allow all IPs to connect <br> 2222 - On the public facing server listen on port 2222 <br> localhost - name of local PC the tunnel is exposing <br> 22 - port on local PC the tunnel is exposing > sudo systemctl start [email protected] ### Step four test In order to eliminate firewall issues test first directly on the public facing server: On public (cloud) server - ssh -l <valid_user> -p 2222 localhost That should open a ssh connection from the public server through the ssh reverse tunnel to the target PC. Once that works, expand your testing to other client machines. If you have issues be sure to check the firewall status of your public facing server. ++++++ autossh.service ++++++ --- /var/tmp/diff_new_pack.h0oEZ4/_old 2015-05-11 19:49:21.000000000 +0200 +++ /var/tmp/diff_new_pack.h0oEZ4/_new 2015-05-11 19:49:21.000000000 +0200 @@ -1,11 +1,15 @@ +# DO NOT EDIT THIS FILE, +# use /etc/systemd/system/autossh@*.service.d/my.conf to override this file instead + [Unit] Description=AutoSSH service for port 2222 After=network.target [Service] Environment="AUTOSSH_GATETIME=0" -ExecStart=/usr/bin/autossh -M 0 -NL 2222:localhost:2222 -o TCPKeepAlive=yes [email protected] +ExecStart=echo "This line MUST be overridden. See /usr/share/doc/packages/autossh/README.SUSE.md for details." [Install] WantedBy=multi-user.target +# DO NOT EDIT THIS FILE, ++++++ my.conf ++++++ # Override and reset the Description to blank Description= # Then append my local description to the blank Description Description=AutoSSH service for ssh reverse tunnel # Override and reset ExecStart to blank ExecStart= # Append a legal command to create a normal encrypted tunnel # ExecStart=/usr/bin/autossh -M 0 -NL 2222:localhost:2222 -o TCPKeepAlive=yes [email protected] # OR # Append a legal command to create a reverse encrypted tunnel # ExecStart=/usr/bin/autossh -M 0 -NR 2222:localhost:2222 -o TCPKeepAlive=yes [email protected]
