You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: autossh/DOCS.md
+35-16Lines changed: 35 additions & 16 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -42,28 +42,17 @@ The add-on creates an SSH keypair and uses it to connect to the given host.
42
42
The public key can be found in the log after the first startup and must be copied to the remote server.
43
43
44
44
On your typical remote server Linux system the public key is added to `<users home>/.ssh/authorized_keys`.
45
-
Do NOT add the key to the root user's `authorized_keys` file.
46
-
We recommend a dedicated user that doesn't have access to anything that isn't needed.
47
-
Consider the Docker solution provided below.
48
45
49
-
**Security Note**
50
-
For additional security, we prepend some restrictions to the public key that [disallow anything](https://manpages.debian.org/experimental/openssh-server/authorized_keys.5.en.html#restrict) other than port forwarding on the remote server.
51
-
For this to work, you **must** leave the `-N` in the `other_ssh_options` section of the default config.
52
-
If you do not want to use these additional security measures, you can remove everything before the `ssh-ed25519 ...` part of the key printout.
53
-
54
-
Be aware that anyone with access to your local Home Assistant's file system (and thus the private key) will be able to log in to your remote server and can execute any command if the restrictions are not set.
46
+
Please consider the remote server security remarks provided below.
55
47
56
48
----
57
49
58
50
## Remote Server Configuration
59
51
60
-
The remote server is the machine hosting the SSH Server and the counterpart for your tunnel connection.
61
-
Most users might want to bind a domain name dedicated to their Home Assistant instance to this server's address.
52
+
The remote server is the machine hosting the SSH server and is the counterpart for the tunnelled connection initiated by this add-on.
62
53
63
-
By default, forwarded ports can only be bound to localhost.
64
-
To make it available on a public interface, either reconfigure SSH or set up a reverse proxy.
65
-
A docker solution is given as the most secure and the cleanest solution overall.
66
-
You can expose ports in three main ways:
54
+
By default, forwarded ports on SSH (openssh) can only be bound to localhost.
55
+
To make the forwarded port (i.e. the Home Assistant UI) available on a public interface, ideally linked to a dedicated domain name, a couple of options exist.
67
56
68
57
### Option 1: Enable SSH GatewayPorts
69
58
@@ -107,7 +96,7 @@ services:
107
96
- SUDO_ACCESS=false
108
97
- PUBLIC_KEY_FILE=/authorized_keys
109
98
volumes:
110
-
- ./openssh_config:/config # Enable AllowTcpForwarding and GatewayPorts after creation during first run
99
+
- ./openssh_config:/config # Enable AllowTcpForwarding and GatewayPorts after creation (during first docker run)
111
100
- ./authorized_keys:/authorized_keys:ro # Store the generated ssh key from the add-on logs here
112
101
labels:
113
102
traefik.enable: "true"
@@ -133,6 +122,36 @@ remote_port: 8123
133
122
134
123
----
135
124
125
+
## Additional Remarks
126
+
127
+
### Remote Server Security
128
+
129
+
The SSH key pair managed by this add-on is a security risk to your remote server.
130
+
Anyone with access to your local Home Assistant's file system will be able to log into your remote server and can execute arbitrary command.
131
+
132
+
**Solution, part 1:**
133
+
Consider isolating the SSH connection inside a docker container. See above.
134
+
135
+
**Solution, part 2:**
136
+
Limit the capabilities of the add-on's ssh key on the remote server.
137
+
This is done by adding [restrictions](https://manpages.debian.org/experimental/openssh-server/authorized_keys.5.en.html#restrict) right to the `authorized_keys` file.
138
+
By default, this add-on suggests adding `command="",restrict,port-forwarding,permitopen="127.0.0.1:8123"` in front of `ssh-ed25519 ...` in the log printout (the last part might differ).
139
+
Consider adding the complete suggested line to your remote server.
140
+
141
+
You **must** leave the `-N` in the `other_ssh_options` section of the default config to stay within these restrictions.
142
+
143
+
### Blocked Socket after Connection Timeout
144
+
145
+
You might encounter the error messages "Error: remote port forwarding failed for listen port 8123" or "sshd[431646]: error: bind [::]:8123: Address already in use" after the connection between server and client had a connection issue.
146
+
The remote server still sees the previous SSH session as connected while the client (this add-on) is trying to reconnect and fails to bind to the blocked socket.
147
+
The issue should quickly resolve itself, as the SSH server will eventually time-out and close the dead connection.
148
+
However, depending on your OS and existing configuration, this might not be the case.
149
+
150
+
**Solution:**
151
+
Please add `TCPKeepAlive yes`, `ClientAliveInterval 30`, and `ClientAliveCountMax 3` to `/etc/ssh/sshd_config` on the remote server.
0 commit comments