Overly Sharpened Blog

Call Home

A short upstart script that maintains an partial ssh tunnel to a remote machine.

The idea here is to keep a single port forwarded on a hub machine to the ssh port on the remote box. The remote box's sshd service should not be listening for connections except on localhost (i.e., 127.0.0.1), and should still require at least password authentication, and preferably public key auth. Note also that srhost-based auth is again insecure, as any other callhome'ing box will appear as the hub.

callhome should be a restricted user account on the hub machine. If you have multiple machines using this, each one should have its own port and restricted user configured. Pay attention to your remote keys! It's trivial for an attacker on a cracked remote to bind to other ports and attempt to masquerade as another user. Indeed, any compromised remote box will now have access to a restricted account on the hub machine, and therefore making the hub machine an isolated vm or separate server is a good idea (I use a spare beagleboard for this purpose; additional blinkenlights are always welcome on my desk!)

Finally, if you're sane, add your id_rsa.pub to the authorized_keys file of a user on the remote. Use a pubkey from a user that is not on the hub, so that even if the hub is compromised, the remotes that call into it are not immediately compromised as well. Note also that a passphrase on the key doesn't buys you very little here: if the hub is compromised, then the attacker can just wait for you to type in your passphrase, and then you're hooped.

To access a remote box, you will ssh into your hub, and then ssh to localhost on whichever port the remote client is listening on. ssh-agent-based authentication to the remote is recommended at that point, but assuming the hub isn't itself compromised, a password is... adequate.

Source 

description "Call back to the office"

start on net-device-up
stop on (runlevel [!2345])

respawn
script
  PORT="22001"

  ssh -R ${PORT}:127.0.0.1:22 \
    -o "BatchMode yes" -o "ServerAliveInterval 15" -o "CheckHostIP no" \
    -o "ExitOnForwardFailure yes" -o "StrictHostKeyChecking no" \
    callhome@your.domain.or.ip.here "shopt -s huponexit ; sleep 1h" ||
  {
    sleep 30s
  }
end script