Improved call-home SSH scripts

Here’s an improvement to the original call-home scripts. The old scripts assumed a separate user account on the central server for each remote machine. Also each remote machine had its own where the unique account and TCP port are specified.

In the new approach, the remote stations have all the same script, and they only differ in SSH keys. It;s important to have unique SSH key on each machine, in order to be able to quickly disable access if the host is compromised.

So, on the callhome server, we create a new user account. It has a normal /bin/sh shell, and authorized_keys makes sure that the remote account does not make any harm on our server.

Creating the comehome user:

useradd -r -m -k /dev/null comehome
cd /home/comehome/
mkdir .ssh
chown comehome:comehome .ssh/
chmod 700 .ssh/

Each public SSH key is now associated with a unique TCP port which is echoed back to the client. The rest of options ensure extra security:

cat >>.ssh/authorized_keys <<EOT
command="/bin/echo 2102",no-user-rc,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3N<skipped> root@alix102

Then the new on the remote machine looks like follows:


SSHCMD="ssh -Tq -o ServerAliveInterval=5 \
    -o UserKnownHostsFile=/dev/null \
    -o StrictHostKeyChecking=no \"

while true; do
    if test 0${PORT} -gt 0; then
      $SSHCMD -NC -R "*:${PORT}:"
  sleep 5

  1. #1 by blue on September 17, 2013 - 9:44 am

    Is this way save to have the central server running in the LAN or is it still better to have it running in a DMZ?

    • #2 by txlab on September 17, 2013 - 9:49 am

      the central server would be open to SSH connections from public internet, and it does not need any connectivity to any internal LAN resources. So I would put it in the public network or Internet hosting.

      • #3 by blue on September 18, 2013 - 9:10 am

        thx for this answer, it would have been obvious, but I didn’t saw it 😉

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: