reverseSSH.sh

#!/bin/bash

# ReverseSSH first setup
# Run as root
#
# Usage: reverseSSH.sh [--systemd] <user> <target-host>
#
#   --systemd   Install a systemd unit (recommended) instead of a cron @reboot entry.
#               Requires systemd. The unit file autossh-tunnel.service must be present
#               alongside this script.
#   user        - username on both local and target host
#   target-host - hostname or IP of the target (management) server
#
# Prep on Target host before running:
#   - Install findopenport.sh and ensure it is on $PATH (e.g. /usr/local/bin)
#   - Copy target .pem and .pub keys to /home/<user>/install/

USE_SYSTEMD=false
if [[ "$1" == "--systemd" ]]; then
    USE_SYSTEMD=true
    shift
fi

if [[ $# -lt 2 ]]; then
    echo "Usage: $0 [--systemd] <user> <target-host>"
    exit 1
fi

USER="$1"
TARGET="$2"
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"

yum install -y autossh

# Create installs folder

mkdir -p /home/$USER/install

# Log output & errors

exec > /home/$USER/install/setup.log 2>&1

## Create local SSH key (skip if one already exists)

if [[ ! -f /home/$USER/.ssh/id_rsa ]]; then
    su $USER -c 'cat /dev/zero | ssh-keygen -q -N ""'
fi

## Copy local host key to Target

cat /home/$USER/.ssh/id_rsa.pub | ssh -i /home/$USER/install/$USER.pem $USER@$TARGET \
    "cat >> /home/$USER/.ssh/authorized_keys"

## Copy Target key to local host (append, don't overwrite)

touch /home/$USER/.ssh/authorized_keys
chmod 644 /home/$USER/.ssh/authorized_keys
chown $USER:$USER /home/$USER/.ssh/authorized_keys
cat /home/$USER/install/$USER.pub >> /home/$USER/.ssh/authorized_keys

## Find free ports on Target and write to install file

ssh -i /home/$USER/install/$USER.pem $USER@$TARGET 'findopenport.sh 2>/dev/null' \
    > /home/$USER/install/openportlist.txt
readarray -t remote_port < /home/$USER/install/openportlist.txt

# Set temporary hostname

hostnamectl set-hostname "build-${remote_port[0]}"

## Register this host in the port registry on the Target

ssh -i /home/$USER/install/$USER.pem $USER@$TARGET \
    "echo \"${remote_port[0]}=$(hostname),$(date -u +%Y-%m-%dT%H:%M:%SZ)\" >> /home/$USER/tunnel-registry.txt"

## Set up persistence (systemd or cron)

if $USE_SYSTEMD; then
    # Write environment file read by the unit
    cat > /etc/autossh-tunnel.conf <<EOF
TUNNEL_USER=$USER
TUNNEL_TARGET=$TARGET
TUNNEL_PORT=${remote_port[0]}
SSH_KEY=/home/$USER/.ssh/id_rsa
EOF
    chmod 600 /etc/autossh-tunnel.conf

    # Install and enable the unit
    cp "$SCRIPT_DIR/autossh-tunnel.service" /etc/systemd/system/autossh-tunnel.service
    systemctl daemon-reload
    systemctl enable autossh-tunnel.service
    systemctl start autossh-tunnel.service
    echo "Systemd unit installed and started."
else
    CRON_ENTRY="@reboot nohup /usr/bin/autossh -M 0 -o 'ServerAliveInterval 10' -o 'ServerAliveCountMax 3' -NR ${remote_port[0]}:localhost:22 $USER@$TARGET &"
    CRONTAB_FILE="/var/spool/cron/crontabs/$USER"

    if ! grep -qF "NR ${remote_port[0]}:localhost:22" "$CRONTAB_FILE" 2>/dev/null; then
        echo "$CRON_ENTRY" >> "$CRONTAB_FILE"
    fi

    ## Start tunnel now (cron path only)
    nohup /usr/bin/autossh -M 0 \
        -o "ServerAliveInterval 10" \
        -o "ServerAliveCountMax 3" \
        -NR ${remote_port[0]}:localhost:22 \
        $USER@$TARGET &
fi

## Create local host connection shortcut and copy it to Target

echo "ssh -p ${remote_port[0]} $USER@127.0.0.1" > /home/$USER/install/build-${remote_port[0]}.sh
chmod +x /home/$USER/install/build-${remote_port[0]}.sh
scp -i /home/$USER/install/$USER.pem \
    /home/$USER/install/build-${remote_port[0]}.sh \
    $USER@$TARGET:/home/$USER/

echo "Setup complete. SSH port: ${remote_port[0]}"
echo "On $TARGET run: ./build-${remote_port[0]}.sh"