Master Secure SSH Tunneling with Autossh: A Complete Guide

AutoSSH is a tool that automates secure SSH login and monitoring, solving issues such as keeping SSH sessions alive and automatically reconnecting after network interruptions.

1. Tool Overview

Inspired by rstunnel, autossh launches SSH services and monitors them, restarting the SSH connection when the program or network fails.

In autossh 1.2 the method changed to use SSH to build a bidirectional redirect loop and test data exchange.

In autossh 1.3 a new method allows specifying a remote echo service port to avoid handshake conflicts; the old loop‑of‑forwardings method remains available.

Autossh enables reverse connections, allowing an internal host to connect to an external host through NAT or firewall mapping.

# Installation
$ yum install autossh
$ apt install autossh

2. Usage

Autossh leverages the native SSH port‑forwarding capabilities with minimal performance overhead.

Command Syntax

# autossh usage
autossh [-V] [-M port[:echo_port]] [-f] [SSH_OPTIONS]

Key Options

-M : Enables automatic reconnection and specifies the echo port. -D : Dynamic application‑level port forwarding on the local machine. -R : Forwards a remote host port to a local destination. -L : Forwards a local port to a remote host. -f : Run in background. -T : Do not allocate a pseudo‑terminal. -n : Used with -f. -N : Do not execute remote commands. -q : Quiet mode, suppress prompts and errors.

Example Commands

# Local port binding on host1
ssh -vv -N -D localhost:8527 user@host1 -p 8000
# Using autossh for automatic reconnection
autossh -M 5678 -vv -N -D localhost:8527 user@host1 -p 8000

3. Demonstrations

SSH only supports TCP port mapping. For a few ports, autossh is ideal; for many ports, tools like Ngrok may be preferable.

Local port binding and forwarding (-L)

# Open local listening port 5900 on host1 and forward to host2:8000
autossh -M 5678 -fCN -L 5900:localhost:8000 user@host2
autossh -M 5678 -fCN -L 5900:user@host2:8000 user@host2

Remote port forwarding (-R)

# Forward remote port 5900 on host3 to host2:8000
autossh -M 5678 -fCN -R 5900:localhost:8000 user@host2
autossh -M 5678 -fCN -R 5900:user@host2:8000 user@host2

Dynamic port forwarding (-D)

# Dynamic port forwarding
autossh -M 5678 -vv -D 1080 user@host1

4. Auto‑Start on Boot

On Ubuntu or CentOS, use systemd to manage autossh as a service. Create a unit file such as /etc/systemd/system/remote-autossh.service:

[Unit]
Description=AutoSSH service for remote tunnel
After=network-online.target

[Service]
User=root
ExecStart=/usr/bin/autossh -M 5678 -fCNR 18081:host2:8080 user@host1

[Install]
WantedBy=multi-user.target

For older systems, add the autossh command to rc.local or use an init.d script.

5. Start/Stop Scripts

Example scripts using expect to terminate existing SSH processes and launch autossh:

PASS="escapelife"

doexit(){
  expect -c "
    set timeout -1
    spawn $1 -t ps aux |grep escape |grep sshd |awk '{print $2}' |xargs kill -9
    expect {\"*?assword:*\" {send \"$PASS\r"}}
    expect eof
  "
}

dossh(){
  nohup expect -c "
    set timeout -1
    spawn $1
    expect {\"*?assword:*\" {send \"$PASS\r"; exp_continue}}
  " &
}

doexit "ssh -o -p 6622 user@host1"

dossh "autossh -o -M 5678 -N -L 5900:127.0.0.1:8000 user@host1 -p 6622"