SaltStack – Open an reverse SSH tunnel to a Raspberry Pi minion from the salt-master in AWS

Executing salt modules and states on minions is the normal way to interact with a minion, but sometimes it is a lot faster to manage a remote machine with a terminal shell over ssh. If that machine is behind a NAT, then it gets more difficult to ssh to that box, but if you control the salt master then you can setup a reverse SSH tunnel to the minion. Here’s how I did it from an AWS Lightsail salt-master and a Raspberry Pi without touching the minion except to set it up as a salt minion to my master. At some point I will likely turn this into a salt state so it can executed faster.

// It'd be better security-wise if you used a separate pivot machine instead of the salt master
// Generate an ssh key pair for a user on your salt-master

// Copy your ssh public key to the salt-master file root
 sudo mkdir /srv/salt/ssh_keys
 sudo cp /home/ubuntu/.ssh/ /srv/salt/ssh_keys/

// Create a new, limited user on your salt-master
// Ideally you would lock this user down as much as possible, 
// but still allow it to ssh to the salt-master and open up a reverse ssh tunnel.
 sudo useradd -m sshtunnel -s /bin/bash

// Generate ssh keys for sshtunnel
 sudo ssh-keygen -f sshtunnel

// Copy the key to your salt file root
 sudo cp sshtunnel /srv/salt/ssh_keys/sshtunnel.id_rsa

// Add they public key in to authorized_keys file
 sudo cp /home/sshtunnel/.ssh/authorized_keys
 sudo chown -R sshtunnel:sshtunnel /home/sshtunnel/.ssh

// Add your salt-master user's public ssh key to the 
// minion's /home/pi/.ssh/authorized_keys
 sudo salt minion01 ssh.set_auth_key_from_file pi salt://ssh_keys/

// Place salt master fingerprint in /home/pi/.ssh/known_hosts
 sudo salt minion01 ssh.set_known_host pi

// Generate a md5 sum of /srv/salt/ssh_keys/sshtunnel.id_rsa because 
// you'll need it when placing the file on the minion in the next command
 sudo md5sum /srv/salt/ssh_keys/sshtunnel.id_rsa

// Place ssh key from the master's /home/sshtunnel/.ssh/id_rsa on 
// the minion at /home/pi/.ssh/id_rsa
 sudo salt minion01 file.manage_file /home/pi/.ssh/id_rsa '' '{}' salt://ssh_keys/sshtunnel.id_rsa '{hash_type: 'md5', 'hsum': ''}' pi pi '600' base ''

//////////   MAKE THE CONNECTION ////////////////
// Open SSH Tunnel from the minion to the master with a port forward
 sudo salt minion01 runas=pi 'ssh -f -R 7000:localhost:22 sleep 30' --async
// Connect from the master to the minion on the local port that was opened
 ssh pi@localhost -p 7000

// You are now connected to the minion and can manage and debug things faster
// Once you quit the ssh session, the minion->master ssh session will close

// Cleanup to avoid giving minions access to the master
// Remove ssh key from /home/pi/.ssh/id_rsa
 sudo salt minion01 file.remove /home/pi/.ssh/id_rsa


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s