Title: Faster SSH with multiplexing | |
Author: Solène | |
Date: 22 May 2018 | |
Tags: unix ssh | |
Description: | |
I discovered today an OpenSSH feature which doesn't seem to be widely | |
known. The feature is called **multiplexing** and consists of reusing | |
an opened ssh connection to a server when you want to open another | |
one. This leads to faster connection establishment and less processes | |
running. | |
To reuse an opened connection, we need to use the **ControlMaster** | |
option, which requires **ControlPath** to be set. We will also set | |
**ControlPersist** for convenience. | |
- **ControlMaster** defines if we create, or use or nothing about | |
multiplexing | |
- **ControlPath** defines where to store the socket to reuse an opened | |
connection, this should be a path only available to your user. | |
- **ControlPersist** defines how much time to wait before closing a | |
ssh connection multiplexer after all connection using it are | |
closed. By default it's "no" and once you drop all connections the | |
multiplexer stops. | |
Host * | |
ControlMaster auto | |
ControlPath ~/.ssh/sessions/%h%p%r.sock | |
ControlPersist 60 | |
only. You can create it with the following command: | |
install -d -m 700 ~/.ssh/sessions | |
(you can also do `mkdir ~/.ssh/sessions && chmod 700 ~/.ssh/sessions` | |
but this requires two commands) | |
The **ControlPath** variable will creates sessions with the name | |
"${hostname}${port}${user}.sock", so it will be unique per remote | |
server. | |
Finally, I choose to use **ControlPersist** to 60 seconds, so if I | |
logout from a remote server, I still have 60 seconds to reconnect to | |
it instantly. | |
Don't forget that if for some reason the ssh channel handling the | |
multiplexing dies, all the ssh connections using it will die with it. | |
## Benefits with ProxyJump | |
Another ssh feature that is very useful is **ProxyJump**, it's really | |
useful to access ssh hosts which are not directly available from your | |
current place. Like servers with no public ssh server available. For | |
my job, I have a lot of servers not facing the internet, and I can | |
still connect to them using one of my public facing server which will | |
relay my ssh connection to the destination. Using the | |
**ControlMaster** feature, the ssh relay server doesn't have to handle | |
lot of connections anymore, but only one. | |
In my *~/.ssh/config* file: | |
Host *.private.lan | |
ProxyJump public-server.com | |
Those two lines allow me to connect to every servers with .private.lan | |
domains (which is known by my local DNS server) by typing | |
`ssh some-machine.private.lan`. This will establish a connection to | |
public-server.com and then connects to the next server. |