Created
June 23, 2019 17:48
-
-
Save AfroThundr3007730/9bfdc305a8fceb805fb340dd1ca5b8c0 to your computer and use it in GitHub Desktop.
Create an on-demand SSH-based SOCKS5 proxy via systemd socket activation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# These steps will allow the setup of an on-demand SSH proxy | |
# Three unit files will be created to serve this purpose: | |
# ssh-socks-helper.socket - The listening socket providing activation | |
# ssh-socks-helper.service - A systemd proxy to pass the socket fd | |
# ssh-socks.service - The actual SSH service providing the tunnel | |
cat <<'EOF' > ~/.config/systemd/user/ssh-socks-helper.socket | |
[Unit] | |
Description=Proxy Helper Socket for Bastion SOCKS5 Proxy | |
[Socket] | |
ListenStream=1080 | |
[Install] | |
WantedBy=sockets.target | |
EOF | |
cat <<'EOF' > ~/.config/systemd/user/ssh-socks-helper.service | |
[Unit] | |
Description=Proxy Helper Service for Bastion SOCKS5 Proxy | |
Requires=ssh-socks-helper.socket | |
BindsTo=ssh-socks.service | |
After=ssh-socks.service | |
[Service] | |
ExecStartPre=/bin/sleep 5 | |
ExecStart=/lib/systemd/systemd-socket-proxyd 127.0.0.1:10080 | |
TimeoutStopSec=5 | |
[Install] | |
WantedBy=multi-user.target | |
EOF | |
cat <<'EOF' > ~/.config/systemd/user/ssh-socks.service | |
[Unit] | |
Description=On-Demand Bastion SOCKS5 Proxy Service | |
[Service] | |
ExecStart=/usr/bin/ssh -aqND 10080 your.bastion.host | |
[Install] | |
WantedBy=multi-user.target | |
EOF | |
systemctl --user enable ssh-socks.service | |
systemctl --user enable ssh-socks-helper.service | |
systemctl --user enable ssh-socks-helper.socket | |
systemctl --user start ssh-socks-helper.socket | |
@MestreLion Sorry for the late reply.
The socket unit passes the traffic via file descriptor to the service unit instead of as a TCP socket, so systemd-socket-proxyd
receives that FD and sends the traffic again to the listening SSH process. This extra step is only necessary for services that don't know how to receive traffic from a file descriptor or that expect to only interact via a listening network socket.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What is the
systemd-socket-proxyd
for? Couldn't thessh-socks.service
be bound directly to the socket service ?