SSH RemoteForward fails with shared Control Socket

port-forwardingssh

My ~/.ssh/config contains:

ControlMaster auto
ControlPath ~/.ssh/socket-%r@%h:%p

Host hostname.example
    # TextMate rmate port
    RemoteForward :52698 localhost:52698

When I make an initial connection to the host, it successfully creates the master socket file at ~/.ssh-lachlanhunt@hostname.example:22.

But when I open a new terminal and attempt to make a second connection, I get this error:

$ ssh hostname.example
mux_client_forward: forwarding request failed: remote port forwarding failed for listen port 52698
muxclient: master forward request failed
ControlSocket /Users/lachlanhunt/.ssh/socket-lachlanhunt@hostname.example:22 already exists, disabling multiplexing
Warning: remote port forwarding failed for listen port 52698

But if I comment out the RemoteForward line in the config, it's able to successfully reuse the connection, making it connect faster. Is there any way I can configure ssh to support both multiplexed connections and enable the remote port forwarding, such that it only attempts to forward the port if it's the master connection?

My system:

macOS Sierra 10.12.6
OpenSSH_7.4p1, LibreSSL 2.5.0

Best Answer

I figured out a solution. I use the Match section with the host and negated exec keywords to test for the hostname and the existence of the control socket file. If the file doesn't exist, then this is the master connection, so setup the port forwarding. Otherwise, this is a slave connection and the forwarding is skipped.

ControlMaster auto
ControlPath ~/.ssh/socket-%r@%h:%p

Match host hostname1.example.com,hostname2.example.com !exec "[ -e ~/.ssh/socket-%r@%h:%p ]"
    # TextMate rmate port
    RemoteForward :52698 localhost:52698

Related Solutions

SSH – Adding Port Forwardings Programmatically on a ControlMaster SSH Session

That's quite simple, actually. Simply add the ctl_cmd -O forward to your existing command, thus:

ssh -M -L5555:localhost:22 remotehost

becomes:

ssh -O forward -M -L5555:localhost:22 remotehost

The ssh man page discusses the -O ctl_cmd option:

-O ctl_cmd
        Control an active connection multiplexing master process.  When the -O option is
        specified, the ctl_cmd argument is interpreted and passed to the master process.
        Valid commands are: “check” (check that the master process is running), “forward”
        (request forwardings without command execution), “exit” (request the master to
        exit), and “stop” (request the master to stop accepting further multiplexing
        requests).

This, of course, assumes you've either enabled ControlMaster yes in your ~/ssh/config file or -M on the command line.

Ssh – How to automate SSH login with password

Don't use a password. Generate a passphrase-less SSH key and push it to your VM.

If you already have an SSH key, you can skip this step… Just hit Enter for the key and both passphrases:

$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.

Copy your keys to the target server:

$ ssh-copy-id id@server
id@server's password:

Now try logging into the machine, with ssh 'id@server', and check-in:

.ssh/authorized_keys

Note: If you don't have .ssh dir and authorized_keys file, you need to create it first

to make sure we haven’t added extra keys that you weren’t expecting.

Finally, check to log in…

$ ssh id@server

id@server:~$

You may also want to look into using ssh-agent if you want to try keeping your keys protected with a passphrase.

Best Answer

Related Solutions

SSH – Adding Port Forwardings Programmatically on a ControlMaster SSH Session

Ssh – How to automate SSH login with password

Related Topic