Faster SSH with multiplexing

• Author: Solène
• Date: 22 May 2018
• Tags: unix ssh

NILI discovered today an OpenSSH feature which doesn't seem to be widely

known. The feature is called multiplexing and consists of reusing

an opened ssh connection to a server when you want to open another

one. This leads to faster connection establishment and less processes

running.

To reuse an opened connection, we need to use the ControlMaster

option, which requires ControlPath to be set. We will also set

• ControlPersist* for convenience.

• ControlMaster defines if we create, or use or nothing about

multiplexing

• ControlPath defines where to store the socket to reuse an opened

connection, this should be a path only available to your user.

• ControlPersist defines how much time to wait before closing a

ssh connection multiplexer after all connection using it are

closed. By default it's "no" and once you drop all connections the

multiplexer stops.

I choosed to use the following parameters into my ~/.ssh/config file:

Host *

ControlMaster auto

ControlPath ~/.ssh/sessions/%h%p%r.sock

ControlPersist 60

This requires to have ~/.ssh/sessions/ folder restricted to my user

only. You can create it with the following command:

install -d -m 700 ~/.ssh/sessions

(you can also do mkdir ~/.ssh/sessions && chmod 700 ~/.ssh/sessions

but this requires two commands)

The ControlPath variable will creates sessions with the name

"${hostname}${port}${user}.sock", so it will be unique per remote

server.

Finally, I choose to use ControlPersist to 60 seconds, so if I

logout from a remote server, I still have 60 seconds to reconnect to

it instantly.

Don't forget that if for some reason the ssh channel handling the

multiplexing dies, all the ssh connections using it will die with it.

Benefits with ProxyJump

Another ssh feature that is very useful is ProxyJump, it's really

useful to access ssh hosts which are not directly available from your

current place. Like servers with no public ssh server available. For

my job, I have a lot of servers not facing the internet, and I can

still connect to them using one of my public facing server which will

relay my ssh connection to the destination. Using the

• ControlMaster* feature, the ssh relay server doesn't have to handle

lot of connections anymore, but only one.

In my ~/.ssh/config file:

Host *.private.lan

ProxyJump public-server.com

Those two lines allow me to connect to every servers with .private.lan

domains (which is known by my local DNS server) by typing