My mum changed to a service provider that takes pleasure in changing her IP address regularly. I still want to be able to ssh into her computer (for maintenance, backup, mostly).

The secure (?) idea is to have her computer connect with ssh to my server and create a reverse tunnel. For security, that’ll be created under a specific user which cannot create a session on the server, and the reverse tunnel is only open on localhost, so you can only connect to her computer if you connected to the server first. For availability reasons, ssh is run using autossh, which is started at boot time.

Server setup

Create a autossh user. Limit the user so it cannot create an interactive session: in /etc/ssh/sshd_config:

Match user autossh
    ForceCommand /usr/sbin/nologin                                              
    PermitTTY no   

Client setup

On the client machine, we want to create an autossh reviving reverse tunnel (-R), which does not require to create an interactive session (-nNT). Start that at startup, using the right user, in /etc/rc.local:

apt install initscripts
su -c "autossh -nNT -R 2222:localhost:22 hood.rutschle.net" autossh