# Secure reverse ssh and reconnect?



## hilda (Apr 21, 2019)

How to secure a reverse ssh tunnel?

I have a OpenBSD box (as a router firewall to my internal net in a network that is not mine) behind another firewalls etc. that I need ssh access to. I can't ssh to it, other people can modify firewalls rules etc. that block a direct ssh access. So I thinking of a reverse ssh tunnel to one of my FreeBSD box on internet.

[my network with servers] -> [my OpenBSD FW] -> (not my network) -> (not mine FW) -> INTERNET <- [my firewall] <- [FreeBSD box]

I made a local account on the FreeBSD machine with /bin/sh and the reverse tunnel working with:  ssh -R 12345:localhost:22 user@ip-adress-to-freebsd -p 12345
But I don't want any ssh access from OpenBSD (just in case) to the FreeBSD machine. Tried /sbin/nologin and /bin/false, but no access with the tunnel.

Is there any way to secure a reverse ssh tunnel with "a no ssh shell" like thing on the FreeBSD box?
On OpenBSD you have authpf that work, but on FreeBSD?


This blocks forwarding tunnels (in sshd_config), as make this a title more secure. But still, you have shell.
GatewayPorts no
AllowTcpForwarding remote



And, if the connection is doping, I need that the tunnel should reconnect to the FreeBSD box. Is there any good alternative? Need a 24/7 link (or access to the OpenBSD machine via FreeBSD servern).
autossh... script that check the connections and run ssh again....?

Other suggestions on a ssh access to the OpenBSD box?

//Hilda


----------



## T-Daemon (Apr 22, 2019)

hilda said:


> On OpenBSD you have authpf that work, but on FreeBSD?


If you are looking for authpf(8) on FreeBSD, you have it in the base system.


----------

