authorized_keys
file to allow logins for a private key, run the following on the client machine (Mac OS X laptop in my case). If Elliptic Curve DSA (ECSDA) is available and supported on both ends, it can be used by adding “-t ecdsa” to the ssh-keygen command. Example default dsa key generation:~/.ssh/authorized_keys
or use ssh-copy-id
for easy installation if available. Prefix the public key with command=',no-pty
to prevent any commands from being executed using this private key and to prevent wasting resources for a pty (not a security feature). Optionally add a comment to the end so you can keep track of the purpose of this installed public key. The result should look something like the following:ClientAliveInterval
which is disabled by default. If ClientAliveCountMax
(defaults to 3) number of pings go unanswered, the server will drop the connection. This is critical to detecting the remote client has disappeared and freeing up the port defined below for a reconnect from the client when it comes back online. It isn’t strictly necessary as the server will drop the connection after a while on its own, but significantly speeds up reconnects.Username
user on the Mac OS X client and then attempt to run the ssh command described by ProgramArguments
. SSH command description:-N
- Don’t run a remote command. Attempting to run a remote command will fail due to the restrictions imposed by the authorized_keys file.-T
- Disable pty allocation. There is no need for this when only port-forwarding is desired.-C
- Request compression. This is optional, typically my processors out pace my network speed, especially when on 4G/LTE networks. This is optional.-o ServerAliveInterval=60
- The client will attempt to send pings to the server ever 60 seconds. After 3 failed pings (Default ServerAliveCountMax
is 3), the client will drop the connection and ssh with return.-o ExitOnForwardFailure=yes
- If port forwarding fails to get setup due to something like another process (or old ssh process) being bound to the hardcoded port, fail and return.-i /Users/<username>/.ssh/servername-home-fwd
- Use the specified ssh private key (generated above) for this connection. This must be the the private key for the public key in the authorized_keys file on the server.-R 12345:localhost:22
- Remotely forward the localhost port 22 (sshd) to the server’s port 12345. This allows the server to connect to the client’s ssh port.[email protected]
- Connect to ssh servername with user remoteuser.KeepAlive
key. The default restart time is 10 seconds and should work just fine for this task.RunAtLoad
does as the name suggests and runs this launchd task at load and boot time.ssh -p12345 [email protected]
on the server. Note that the host will always be localhost due to port forwarding, and the user is the user on the Mac OS X client.