Created
February 24, 2020 15:28
-
-
Save rlerdorf/3e2aac2abd1922ee60e7b56ae2a4e986 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| The setup I use to manage machines remotely is all based on each machine | |
| maintaining an ssh connection to a central server sitting in a colo in | |
| San Jose. If you only want to manage machines that don't move around and | |
| are behind a router you control, it probably makes more sense to set up | |
| port forwarding on your router. Forward ports 22 (ssh), 5900 (vnc) and | |
| 3282 (ARD). | |
| I use the proxy approach because I also manage laptops that may be | |
| connected from anywhere. Like in a coffeeshop behind NAT where I have | |
| no way to port forward from the router. | |
| Create a keypair to use. In this example it is /Users/carl/.ssh/id_sshtunnel and | |
| /Users/carl/.ssh/id_sshtunnel.pub | |
| Put the public key in the authotized_keys file on the proxy server. | |
| In this example it is the sshtunnel user on pidgets.com | |
| ssh [email protected] from the client machine once to check that it works | |
| and to get the ip cached. | |
| On the client machine, set up a launchagent script that keeps the ssh | |
| connection always connected. Create this file: | |
| /Library/LaunchAgents/com.apple.sshtunnel.plist: | |
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
| <plist version="1.0"> | |
| <dict> | |
| <key>Label</key> | |
| <string>com.apple.sshtunnel</string> | |
| <key>RunAtLoad</key> | |
| <true/> | |
| <key>KeepAlive</key> | |
| <true/> | |
| <key>Program</key> | |
| <string>/bin/sshtunnel</string> | |
| <key>StandardErrorPath</key> | |
| <string>/dev/null</string> | |
| <key>StandardOutPath</key> | |
| <string>/dev/null</string> | |
| </dict> | |
| </plist> | |
| And create /bin/sshtunnel which contains (2nd line is one lone line): | |
| #!/bin/bash | |
| /bin/bash -c "while [ 1 ]; do ssh -o ExitOnForwardFailure=yes -o ConnectTimeout=3 -o TCPKeepAlive=yes -o ServerAliveInterval=5 -o ServerAliveCountMax=5 -N -i /Users/carl/.ssh/id_sshtunnel -R 2217:localhost:22 [email protected]; sleep 1; done" >/dev/null 2>&1 | |
| Then: | |
| chmod +x /bin/sshtunnel | |
| sudo launchctl load com.apple.sshtunnel.plist | |
| Now you should have a permanent tunnel into this machine from anywhere in the world. | |
| On your machine, add this to .ssh/config: | |
| Host imac | |
| User carl | |
| ProxyCommand ssh -e none pidgets.com exec nc localhost 2217 | |
| LocalForward 2218 localhost:5900 | |
| LocalForward 2219 localhost:3283 | |
| DynamicForward 8081 | |
| You need to be able to ssh into pidgets.com as yourself, of course. Now you can just: | |
| ssh imac | |
| and you should have a shell on the client machine. Or you can fire up VNC and point it | |
| at localhost:2218 or ARD (Apple Remote Desktop) and point it at localhost:2219. | |
| The 2217, 2218 and 2219 port numbers are completely arbitrary. But the 2217 needs to | |
| match the port in the launchagent script above. | |
| The DynamicForward line means that I can fire up a browser and set the browser's Proxy | |
| to localhost:8081 and I can browse as if my browser was running on the client machine. | |
| I sometimes use that to get to the Web UI for various services behind my firewall at | |
| home when I am travelling. | |
| Make sure remote logins and remote management is enabled on the client machine. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment