2

I want to forward a Socks5 proxy using SSH with password authentication inside a Docker container. YES, I know that SSH keys would be better. But since it's not my own server, I'm not able to use keys, they just offer user/password authentication. autossh seems to be the right tool for this job, so I used it with sshpass in my entrypoint shellscript:

sshpass -P "assphrase" -p "${PASSWORD}" autossh -M0 -o "ServerAliveInterval 60" -o "ServerAliveCountMax 3" -oStrictHostKeyChecking=no -oUserKnownHostsFile=custom_known_hosts -4 -N -D *:5080 ${USER}@${HOST}

Both packages are installed in the Dockerfile

FROM debian:stretch-slim
RUN apt-get update \
  && apt-get upgrade -y
RUN apt-get install -y ssh wget sshpass autossh
RUN wget https://www.provider.com/custom_known_hosts 
COPY run.sh .
ENTRYPOINT "./run.sh"

This establishes the SSH tunnel to the Socks5 proxy. But after the internet connection got lost, the authentication fails:

socks5_forward_1  | Warning: Permanently added 'server.provider.com' (ECDSA) to the list of known hosts.
socks5_forward_1  | SSHPASS searching for password prompt using match "assword"
socks5_forward_1  | SSHPASS read: [email protected]'s password:
socks5_forward_1  | SSHPASS detected prompt. Sending password.
socks5_forward_1  | SSHPASS read:
socks5_forward_1  |
socks5_forward_1  | packet_write_wait: Connection to 1.2.3.4 port 22: Broken pipe
socks5_forward_1  | SSHPASS read: [email protected]'s password:
socks5_forward_1  | SSHPASS detected prompt, again. Wrong password. Terminating.
socks5_forward_1  | Permission denied, please try again.
socks5_forward_1  | Permission denied, please try again.
socks5_forward_1  | Received disconnect from 1.2.3.4 port 22:2: Too many authentication failures
socks5_forward_1  | Authentication failed.
socks5_forward_1  | Permission denied, please try again.
socks5_forward_1  | Permission denied, please try again.
socks5_forward_1  | Received disconnect from 1.2.3.4 port 22:2: Too many authentication failures
socks5_forward_1  | Authentication failed.

I also tried

sshpass -v -p "${PASSWORD}" autossh -M0 -o "ServerAliveInterval 60" -o "ServerAliveCountMax 3" -oStrictHostKeyChecking=no -oUserKnownHostsFile=custom_known_hosts -4 -N -D *:5080 ${USER}@${HOST}

and build a loop myself since I thought that sshpass won't properly work after autossh tries to reconnect:

while true; do command sshpass -P "assphrase" -p "${PASSWORD}" ssh -M0 -o "ServerAliveInterval 60" -o "ServerAliveCountMax 3" -oStrictHostKeyChecking=no -oUserKnownHostsFile=custom_known_hosts -4 -N -D *:5080 ${USER}@${HOST}; [ $? -eq 0 ] && break || sleep 5; done

Both approaches doesn't work. Since my ISP does a reconnect every 24 hours, it's annoying to restart the container every day by hand. I couldn't figure out yet why at the last approach in the loop can' handle the reconnect properly

Lion
  • 309
  • 1
  • 4
  • 14
  • 1
    Not sure if this is a typo, but the username in the initial connection is 'myUser', and the username during reconnection is 'myUser4'. – Haxiel Jun 12 '21 at 14:45
  • @Haxiel Good attention but it was only a typo during censoring the real username :D I fixed it to avoid confusion – Lion Jun 13 '21 at 10:06

1 Answers1

1

It seems the problem is, that SSH itselfs try to reconnect and sshpass has problems to send the password for that reconnect. So I build a loop by myself and configured ssh to exit if the forwarding failed:

while :; do
  sshpass -v \
    -p "${PASSWORD}" \
    ssh \
      -o "ServerAliveInterval 60" \
      -o "ServerAliveCountMax 2" \
      -o "ConnectTimeout 15" \
      -o "ExitOnForwardFailure yes" \
      -o "StrictHostKeyChecking no" \
      -o "UserKnownHostsFile perfect_privacy_known_hosts" \
      -4 -N -D *:5080 ${USER}@${HOST}

    echo "SSH connection exieted, wait 15s before re-trying"
    sleep 15
done

By restarting the dsl modem, I simulated a reconnect:

socks5_forward_1  | Ziel: server.provider.com mit User: myUser
socks5_forward_1  | Warning: Permanently added 'server.provider.com' (ECDSA) to the list of known hosts.
socks5_forward_1  | SSHPASS searching for password prompt using match "assword"
socks5_forward_1  | SSHPASS read: [email protected]'s password:
socks5_forward_1  | SSHPASS detected prompt. Sending password.
socks5_forward_1  | SSHPASS read:
socks5_forward_1  |
socks5_forward_1  | Timeout, server server.provider.com not responding.
socks5_forward_1  | SSH connection exieted, wait 15s before re-trying
socks5_forward_1  | ssh: Could not resolve hostname server.provider.com: Temporary failure in name resolution
socks5_forward_1  | SSH connection exieted, wait 15s before re-trying
socks5_forward_1  | ssh: Could not resolve hostname server.provider.com: Temporary failure in name resolution
socks5_forward_1  | SSH connection exieted, wait 15s before re-trying
socks5_forward_1  | ssh: Could not resolve hostname server.provider.com: Temporary failure in name resolution
socks5_forward_1  | SSH connection exieted, wait 15s before re-trying
socks5_forward_1  | ssh: Could not resolve hostname server.provider.com: Temporary failure in name resolution
socks5_forward_1  | SSH connection exieted, wait 15s before re-trying
socks5_forward_1  | SSHPASS searching for password prompt using match "assword"
socks5_forward_1  | SSHPASS read: [email protected]'s password:
socks5_forward_1  | SSHPASS detected prompt. Sending password.
socks5_forward_1  | SSHPASS read:

This works well, the SSH connection was established and so my socks5 proxy got automatically reconnected.

Lion
  • 309
  • 1
  • 4
  • 14