Improved call-home SSH scripts

Here’s an improvement to the original call-home scripts. The old scripts assumed a separate user account on the central server for each remote machine. Also each remote machine had its own ssh_tunnel.sh where the unique account and TCP port are specified.

In the new approach, the remote stations have all the same ssh_tunnel.sh script, and they only differ in SSH keys. It;s important to have unique SSH key on each machine, in order to be able to quickly disable access if the host is compromised.

So, on the callhome server, we create a new user account. It has a normal /bin/sh shell, and authorized_keys makes sure that the remote account does not make any harm on our server.

Creating the comehome user:

useradd -r -m -k /dev/null comehome
cd /home/comehome/
mkdir .ssh
chown comehome:comehome .ssh/
chmod 700 .ssh/

Each public SSH key is now associated with a unique TCP port which is echoed back to the client. The rest of options ensure extra security:

cat >>.ssh/authorized_keys <<EOT
command="/bin/echo 2102",no-user-rc,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3N<skipped> root@alix102
EOT

Then the new ssh_tunnel.sh on the remote machine looks like follows:

#!/bin/sh

SSHCMD="ssh -Tq -o ServerAliveInterval=5 \
    -o UserKnownHostsFile=/dev/null \
    -o StrictHostKeyChecking=no \
    comehome@callhome.example.net"

while true; do
    PORT=`$SSHCMD`
    if test 0${PORT} -gt 0; then
      $SSHCMD -NC -R "*:${PORT}:127.0.0.1:22"
    fi
  sleep 5
done
Advertisements

  1. #1 by blue on September 17, 2013 - 9:44 am

    Is this way save to have the central server running in the LAN or is it still better to have it running in a DMZ?

    • #2 by txlab on September 17, 2013 - 9:49 am

      the central server would be open to SSH connections from public internet, and it does not need any connectivity to any internal LAN resources. So I would put it in the public network or Internet hosting.

      • #3 by blue on September 18, 2013 - 9:10 am

        thx for this answer, it would have been obvious, but I didn’t saw it 😉

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: