systemd socket activation to create a permanent SSH tunnel

hvjunk hvjunk at gmail.com
Sun Mar 29 17:45:48 AEDT 2026 

What about using proxyjump?

Sent from my mobile device

> On 28 Mar 2026, at 23:29, R. Diez via openssh-unix-dev <openssh-unix-dev at mindrot.org> wrote:
> 
> Hi all:
> 
> I have configured an SSH tunnel in ~/.ssh/config with "ssh -N", "LocalForward", "ControlPersist", etc. The trouble is, I have to start it manually every day.
> 
> I have looked at autossh, but the trouble is, if the network is down, or the remote server changes credentials, autossh will forever keep trying to open the SSH tunnel, polluting the failure log. The same would happen with a systemd service set to automatically restart, it will keep failing and triggering failed service alerts in Prometheus.
> 
> The right thing to do would be to set up a systemd socket activation for the SSH tunnel. This way, when an application tries to connect to the local tunnel endpoint, systemd will automatically start the SSH tunnel command. If nobody is trying to use the tunnel, then the system will not attempt to establish the connection.
> 
> The trouble is, systemd passes the socket file descriptor to the child process in environment variable LISTEN_FDS. The reason is, the child process cannot open the socket for listening purposes, because systemd's socket activation has already done it.
> 
> I gather that opensshd (the daemon) supports the LISTEN_FDS mechanism, because I have read somewhere that this is the way many Linux distributions start OpenSSH, even before systemd existed.
> 
> Does "ssh" (the SSH client) support LISTEN_FDS too? I could not find any mention of LISTEN_FDS in its documentation.
> 
> I need socket activation support in "ssh", because socket activation should trigger the ssh command to establish the tunnel, and that does not involve the SSH daemon on the local PC, only the ssh client (as far as I understand it).
> 
> If ssh does support the LISTEN_FDS mechanism, I would appreciate an example of how to configure systemd socket activation for such an SSH tunnel. I could not find many examples about it on the Internet.
> 
> Thanks in advance,
>  rdiez
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

More information about the openssh-unix-dev mailing list