 |
Title: Faster SSH with multiplexing |
|
Author: Solène |
|
Date: 22 May 2018 |
|
Tags: unix ssh |
|
Description: |
|
|
|
I discovered today an OpenSSH feature which doesn't seem to be widely |
|
known. The feature is called **multiplexing** and consists of reusing |
|
an opened ssh connection to a server when you want to open another |
|
one. This leads to faster connection establishment and less processes |
|
running. |
|
|
|
To reuse an opened connection, we need to use the **ControlMaster** |
|
option, which requires **ControlPath** to be set. We will also set |
|
**ControlPersist** for convenience. |
|
|
|
- **ControlMaster** defines if we create, or use or nothing about |
|
multiplexing |
|
- **ControlPath** defines where to store the socket to reuse an opened |
|
connection, this should be a path only available to your user. |
|
- **ControlPersist** defines how much time to wait before closing a |
|
ssh connection multiplexer after all connection using it are |
|
closed. By default it's "no" and once you drop all connections the |
|
multiplexer stops. |
|
|
|
|
|
Host * |
|
ControlMaster auto |
|
ControlPath ~/.ssh/sessions/%h%p%r.sock |
|
ControlPersist 60 |
|
|
|
only. You can create it with the following command: |
|
|
|
install -d -m 700 ~/.ssh/sessions |
|
|
|
(you can also do `mkdir ~/.ssh/sessions && chmod 700 ~/.ssh/sessions` |
|
but this requires two commands) |
|
|
|
The **ControlPath** variable will creates sessions with the name |
|
"${hostname}${port}${user}.sock", so it will be unique per remote |
|
server. |
|
|
|
Finally, I choose to use **ControlPersist** to 60 seconds, so if I |
|
logout from a remote server, I still have 60 seconds to reconnect to |
|
it instantly. |
|
|
|
Don't forget that if for some reason the ssh channel handling the |
|
multiplexing dies, all the ssh connections using it will die with it. |
|
|
|
|
|
## Benefits with ProxyJump |
|
|
|
Another ssh feature that is very useful is **ProxyJump**, it's really |
|
useful to access ssh hosts which are not directly available from your |
|
current place. Like servers with no public ssh server available. For |
|
my job, I have a lot of servers not facing the internet, and I can |
|
still connect to them using one of my public facing server which will |
|
relay my ssh connection to the destination. Using the |
|
**ControlMaster** feature, the ssh relay server doesn't have to handle |
|
lot of connections anymore, but only one. |
|
|
|
In my *~/.ssh/config* file: |
|
|
|
Host *.private.lan |
|
ProxyJump public-server.com |
|
|
|
Those two lines allow me to connect to every servers with .private.lan |
|
domains (which is known by my local DNS server) by typing |
|
`ssh some-machine.private.lan`. This will establish a connection to |
|
public-server.com and then connects to the next server. |
