How to provide “reverse ssh” to a shell?

Question

Scenario:

Many embedded devices (running Linux) out in the fields, behind routers so NAT'd and we can't make connections to them.

We need for a support person to be able to initiate a terminal/shell session on any of the devices.

Their local terminal will also be NAT'd behind a corporate firewall, so we need some central "meeting point" that both they and the device can connect to.

If necessary, we could require the support person to log into some sort of terminal server, but I'd prefer a solution that just popped up a terminal window on their desktop.

We can (through other means) tell the device to execute some arbitary script or application to start up the session.

Without the NAT, it's just SSH to the device and away we go. But what are my options in this NAT'd environment?

We're OK to develop code at either end or at the meeting point server if required, but obviously if there are apps out there so we don't have to write stuff, even better.

Pointers to other questions I may have missed (although I have looked) or to applications that I should consider for the central "meeting point" server welcomed

Answer 1

How about simply setting up an ssh server that is reachable by both the device and the support user, and have the device set up a reverse tunnel (using remote port forwarding )?

ssh -R 10022:localhost:22 device@server

Then the support personnel can simply connect to the server and log on using

ssh -p 10022 localhost

Of course there are several security aspects that need to be accounted for here, depending on what kind of information the devices hold/have access to and how the support organization is set up.

Answer 2

SSH is an adequate tool for this. You will, as you say, need a middle-man server. But it would be very easy to set up, assuming that your 'other means of executing a script' are remote and can be executed from your office.

So, fire up a new server on a global IP (an Amazon AWS micro node is free for a year and would do the job just fine), and install an ssh deamon. Say it has the hostname middleman.example.org .

The script to put onto your embedded devices would look like;

#!/bin/bash
ssh -i ./middle_id.pem -R 22:localhost:2222 middleuser@middle.example.org

(The private key authentication would be a way of making the login non-interactive)

The script to put onto your desktop machines would look like; (assuming the argument $1 is the IP of the embedded device, and that prod_remote_device.sh executes the above script on the chosen embedded device.)

#!/bin/bash
./prod_remote_device.sh $1
ssh -i ./device_id.pem deviceuser@middle.example.org:2222

And that should forward your connection to the embedded device.

Answer 3

In order to make it bind to all interfaces, use:

ssh -N -R 0.0.0.0:2222:localhost:22  root@example.com

Don't forget to edit /etc/ssh/sshd_config and go to GatewayPorts and enable it and set it to yes .

And Then connect to it from any Loopback or Ethernet interface.