uauth is a transparent wrapper that automatically creates reverse SSH tunnels back to your local machine for any ports your command opens — so services running on a remote server are immediately accessible on your laptop without any manual port-forwarding setup.
When you SSH into a remote machine and run a command through uauth, it:
- Detects that you are in an SSH session and identifies your client IP.
- Starts the command as a child process (with full terminal control — raw mode, signals, resize events all work normally).
- Polls for TCP ports that the child process tree starts listening on.
- For each new port, establishes a reverse SSH tunnel (
ssh -R) back to your machine, making the port available onlocalhoston your end. - Tears down tunnels automatically when ports stop listening.
- When the child exits, tears down all tunnels and exits with the same code.
If you are not in an SSH session, uauth execs the command directly with no overhead.
- Go 1.21+ (to build)
sshclient available on the remote machinesshdrunning on your local machine (to accept reverse tunnels)- Key-based SSH auth from the remote machine back to your local machine (no password/passphrase prompts — tunnels use
BatchMode=yes)
# Build only
make build
# Build and install to ~/.local/bin/uauth
make installMake sure ~/.local/bin is on your PATH:
echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.bashrcTo cross-compile for a specific platform:
GOOS=linux GOARCH=amd64 go build -o uauth .Your local machine receives the reverse tunnels, so it must:
1. Have sshd running and reachable from the remote machine.
On macOS, enable Remote Login in System Settings > General > Sharing.
On Linux:
sudo systemctl enable --now sshd2. Trust the remote machine's SSH key.
The remote machine will connect back to you as your local user. Add the remote machine's public key to your ~/.ssh/authorized_keys:
# On the remote machine, print its public key:
cat ~/.ssh/id_ed25519.pub
# On your local machine, append it:
echo "<remote-public-key>" >> ~/.ssh/authorized_keysIf the remote machine has no key pair yet, generate one:
ssh-keygen -t ed25519 -N "" -f ~/.ssh/id_ed255191. Install uauth — copy the binary to somewhere on PATH, e.g. ~/.local/bin/uauth.
2. Ensure the remote machine can SSH back to your local machine without prompting.
Test from the remote machine:
ssh -o BatchMode=yes <your-local-username>@<your-local-ip> echo okIf this fails, check that the remote's public key is in your local ~/.ssh/authorized_keys.
3. (Optional) Pre-trust your local machine's host key to avoid a first-connection prompt:
ssh-keyscan <your-local-ip> >> ~/.ssh/known_hostsuauth uses StrictHostKeyChecking=accept-new, so the first connection auto-trusts the host key — subsequent connections are verified.
Prefix any command with uauth --:
uauth -- npm run dev
uauth -- python -m http.server 8080
uauth -- cargo runWhen run over SSH, any port the command opens on the remote machine becomes available on the same port number on your local localhost.
| Flag | Default | Description |
|---|---|---|
--ssh-user |
$USER |
Username for the reverse SSH connection back to your local machine |
--poll-interval |
500 |
How often to scan for new listening ports, in milliseconds |
--verbose |
false |
Log tunnel lifecycle events to stderr |
--log-file |
(none) | Write tunnel events to a file instead of (or in addition to) stderr |
# SSH into the remote machine
ssh myserver
# Run your dev server through uauth
uauth --verbose -- npm run devYour dev server's port (e.g. 3000) is now reachable at http://localhost:3000 on your laptop.
If your local username differs from your remote username:
uauth --ssh-user myhomeuser -- python -m http.server 9000To use uauth transparently as a drop-in, you can alias commands in your remote ~/.bashrc:
alias npm='uauth -- npm'- Only ports bound to
localhostor a wildcard address (0.0.0.0 /::) are tunneled. Ports already bound to a specific non-loopback address are ignored. - All tunnels are torn down cleanly when the child process exits.
BROWSER=falseis set in the child process environment to prevent dev servers from trying to open a browser on the remote machine.