#
-# only authentication supported is public key with indentity file specified
+# password authentication is not possible, publick key authentication must be used.
+# set "option IdentityFile" to he file from which the identity (private key) for RSA or DSA authentication is read.
+# The default is ~/.ssh/identity for protocol version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol version 2.
+# ssh will also try to load certificate information from the filename obtained by appending -cert.pub to identity filenames.
# pkcs11 support soon
#
+config server disney
+ option user mourinho
+ option hostname server.disney.com
+# option port 22
+# option retrydelay 1
+# option CheckHostIP yes
+# option Compression no
+# option CompressionLevel 6
+# option IdentityFile ~/.ssh/id_rsa
+# option LogLevel INFO
+# option ServerAliveCountMax 3
+# option ServerAliveInterval 0
+# option StrictHostKeyChecking ask
+# option TCPKeepAlive yes
+# option VerifyHostKeyDNS yes
+
+
# tunnelR(emote) - when the connection will be initiated to the R(emote) endpoint at
# remoteaddress:remoteport and then forward to localaddress:localport
#
config tunnelR http
- option user mourinho
- option hostname server.disney.com
- option identity /root/.ssh/id_rsa
+ option server disney
option remoteaddress *
option remoteport 9009
option localaddress 192.168.1.13
option localport 80
- option options '-o ServerAliveCountMax=3 -o ServerAliveInterval=20 -o StrictHostKeyChecking=false'
# tunnelL(ocal) - when the connection will be initiated to the L(ocal) endpoint at
# localaddress:localport and then forward to remoteaddress:remoteport
#
config tunnelL test
- option user mourinho
- option hostname server.disney.com
- option identity /root/.ssh/id_rsa
+ option server disney
option localaddress *
option localport 1022
option remoteaddress secretserver.disney.com
option remoteport 22
- option options '-o ServerAliveCountMax=3 -o ServerAliveInterval=20 -o StrictHostKeyChecking=false'
PIDFILE="/tmp/run/sshtunnel"
+load_server() {
+ server="$1"
+
+ config_get user $1 user
+ config_get hostname $1 hostname
+ config_get debuglevel $1 debuglevel "0"
+ config_get retrydelay $1 retrydelay "10"
+ config_get CheckHostIP $1 CheckHostIP
+ config_get Compression $1 Compression
+ config_get CompressionLevel $1 CompressionLevel
+ config_get IdentityFile $1 IdentityFile
+ config_get LogLevel $1 LogLevel
+ config_get ServerAliveCountMax $1 ServerAliveCountMax
+ config_get ServerAliveInterval $1 ServerAliveInterval
+ config_get StrictHostKeyChecking $1 StrictHostKeyChecking
+ config_get TCPKeepAlive $1 TCPKeepAlive
+ config_get VerifyHostKeyDNS $1 VerifyHostKeyDNS
+
+ error=""
+ [ -n "$user" ] || error="user is not set"
+ [ -n "$hostname" ] || error="${error:+$error; }hostname is not set"
+ [ "$retrydelay" -ge 0 ] || error="${error:+$error; }retrydelay must be a positive integer"
+ #[ -f "$IdentityFile" ] || error="${error:+$error; }IdentityFile $IdentityFile not accessible"
+ #add validation for the rest of the parameters
+ [ -n "$error" ] && { logger -p user.err -t "sshtunnel" "tunnels to $server not started - $error"; return; }
+
+ tunnels_cmd=""
+ count=0
+ config_foreach load_tunnel tunnelR && config_foreach load_tunnel tunnelL
+ [ -n "$error" ] && { logger -p user.err -t "sshtunnel" "tunnels to $server not started - $error"; return; }
+ [ "$count" -eq 0 ] && { logger -p user.err -t "sshtunnel" "tunnels to $server not started - no tunnels defined"; return; }
+
+ cmd="${CheckHostIP:+-o CheckHostIP=$CheckHostIP }"
+ cmd="$cmd${CheckHostIP:+-o CheckHostIP=$CheckHostIP }"
+ cmd="$cmd${Compression:+-o Compression=$Compression }"
+ cmd="$cmd${CompressionLevel:+-o CompressionLevel=$CompressionLevel }"
+ cmd="$cmd${IdentityFile:+-o IdentityFile=$IdentityFile }"
+ cmd="$cmd${LogLevel:+-o LogLevel=$LogLevel }"
+ cmd="$cmd${ServerAliveCountMax:+-o ServerAliveCountMax=$ServerAliveCountMax }"
+ cmd="$cmd${ServerAliveInterval:+-o ServerAliveInterval=$ServerAliveInterval }"
+ cmd="$cmd${StrictHostKeyChecking:+-o StrictHostKeyChecking=$StrictHostKeyChecking }"
+ cmd="$cmd${TCPKeepAlive:+-o TCPKeepAlive=$TCPKeepAlive }"
+ cmd="$cmd${VerifyHostKeyDNS:+-o VerifyHostKeyDNS=$VerifyHostKeyDNS }"
+ cmd="$cmd""-o ExitOnForwardFailure=yes -o BatchMode=yes -nN $tunnels_cmd $user@$hostname"
+
+ /usr/bin/sshtunnel.sh "$cmd" "$retrydelay" "$server" &
+ echo $! >> "$PIDFILE".pids
+ logger -p user.info -t "sshtunnel" "started tunnels to $server (pid=$!;retrydelay=$retrydelay)"
+}
+
load_tunnel() {
- config_get user $1 user
- config_get hostname $1 hostname
- config_get identity $1 identity
- config_get remoteport $1 remoteport
- config_get localport $1 localport
- config_get options $1 options '-o ServerAliveCountMax=3 -o ServerAliveInterval=20 -o StrictHostKeyChecking=false'
- config_get retrydelay $1 retrydelay "10"
+ config_get section_server $1 server
+ [ "$server" = "$section_server" ] || return 0 # continue to read next section if this is not for the current server
+ let count++ # count nr of valid sections to make sure there are at least one
+
+ config_get remoteport $1 remoteport
+ config_get localport $1 localport
[ "$cfgtype" = "tunnelL" ] && {
- config_get localaddress $1 localaddress "127.0.0.1"
- config_get remoteaddress $1 remoteaddress "*"
+ config_get localaddress $1 localaddress "*"
+ config_get remoteaddress $1 remoteaddress
}
[ "$cfgtype" = "tunnelR" ] && {
- config_get localaddress $1 localaddress "*"
- config_get remoteaddress $1 remoteaddress "127.0.0.1"
+ config_get localaddress $1 localaddress
+ config_get remoteaddress $1 remoteaddress "*"
}
- local error
- [ -f "$identity" ] || error="Identity file $identity not accessible"
- [ -n "$user" ] || error="please set user option"
- [ -n "$hostname" ] || error="please set hostname option"
- [ "$remoteport" -gt 0 -a "$localport" -gt 0 -a "$retrydelay" -ge 0 ] || error="invalid configuration"
- [ -n "$error" ] && { logger -p user.err -t "sshtunnel" "$cfgtype $1 not started - $error"; return; }
+ [ "$remoteport" -gt 0 ] || error="remoteport must be a positive integer"
+ [ "$localport" -gt 0 ] || error="${error:+$error; }localpost must be a positive integer"
+ [ -n "$error" ] && return 1
[ "$cfgtype" = "tunnelL" ] && {
- args="-N -i $identity -o PasswordAuthentication=no -o ExitOnForwardFailure=yes $options -L $localaddress:$localport:$remoteaddress:$remoteport $user@$hostname"
+ tunnels_cmd="${tunnels_cmd:+$tunnels_cmd }-L $localaddress:$localport:$remoteaddress:$remoteport"
}
[ "$cfgtype" = "tunnelR" ] && {
- args="-N -i $identity -o PasswordAuthentication=no -o ExitOnForwardFailure=yes $options -R $remoteaddress:$remoteport:$localaddress:$localport $user@$hostname"
+ tunnels_cmd="${tunnels_cmd:+$tunnels_cmd }-R $remoteaddress:$remoteport:$localaddress:$localport"
}
-
- /usr/bin/sshtunnel.sh "$args" "$retrydelay" &
- echo $! >> "$PIDFILE".pids
- logger -p user.info -t "sshtunnel" "started new $cfgtype $1 (pid=$!;retrydelay=$retrydelay)"
}
stop() {
start-stop-daemon -K -p "$PIDFILE"_"$pid".pid
kill $pid
logger -p daemon.info -t "sshtunnel[$pid]" "tunnel stopped"
+ rm "$PIDFILE"_"$pid".pid
done < "$PIDFILE".pids
-
- rm "$PIDFILE".pids
-
+
+ rm "$PIDFILE".pids
+
logger -p user.info -t "sshtunnel" "all tunnels stopped"
else
logger -p user.info -t "sshtunnel" "no tunnels running"
start() {
[ -f "$PIDFILE".pids ] && stop
- logger -p user.info -t "sshtunnel" "starting all tunnels"
-
- config_load sshtunnel
- config_foreach load_tunnel tunnelR
- config_foreach load_tunnel tunnelL
-
- logger -p user.info -t "sshtunnel" "all tunnels started"
+ config_load sshtunnel
+ if [ -n "$(uci show sshtunnel.@server[0])" ] # at least one server section exists
+ then
+ logger -p user.info -t "sshtunnel" "starting all tunnels"
+ config_foreach load_server server
+ logger -p user.info -t "sshtunnel" "all tunnels started"
+ else
+ logger -p user.info -t "sshtunnel" "no servers defined"
+ fi
}