9

Scenario:

Many embedded devices (running Linux) out in the fields, behind routers so NAT'd and we can't make connections to them.

We need for a support person to be able to initiate a terminal/shell session on any of the devices.

Their local terminal will also be NAT'd behind a corporate firewall, so we need some central "meeting point" that both they and the device can connect to.

If necessary, we could require the support person to log into some sort of terminal server, but I'd prefer a solution that just popped up a terminal window on their desktop.

We can (through other means) tell the device to execute some arbitary script or application to start up the session.

Without the NAT, it's just SSH to the device and away we go. But what are my options in this NAT'd environment?

We're OK to develop code at either end or at the meeting point server if required, but obviously if there are apps out there so we don't have to write stuff, even better.

Pointers to other questions I may have missed (although I have looked) or to applications that I should consider for the central "meeting point" server welcomed

The Archetypal Paul
  • 41,321
  • 20
  • 104
  • 134
  • You could use `ssh` somewhere for proxying/forwarding... Your question is not source code related, so is off-topic on stack overflow. Try on http://superuser.com/ – Basile Starynkevitch Aug 03 '12 at 09:36
  • Yes, I had assumed ssh was in the solution somewhere but was looking for something a bt more specific! And, it's potentially source-code related (or rather programming related, which is what I thought SO was about, not source-code) depending on what we have to do, adn there a lot of ssh related questions already that don't have source-code parts... However, I will try on superuser.com – The Archetypal Paul Aug 03 '12 at 09:48

4 Answers4

10

How about simply setting up an ssh server that is reachable by both the device and the support user, and have the device set up a reverse tunnel (using remote port forwarding)?

ssh -R 10022:localhost:22 device@server

Then the support personnel can simply connect to the server and log on using 

ssh -p 10022 localhost

Of course there are several security aspects that need to be accounted for here, depending on what kind of information the devices hold/have access to and how the support organization is set up.

Anders Lindahl
  • 41,582
  • 9
  • 89
  • 93
8

SSH is an adequate tool for this. You will, as you say, need a middle-man server. But it would be very easy to set up, assuming that your 'other means of executing a script' are remote and can be executed from your office.

So, fire up a new server on a global IP (an Amazon AWS micro node is free for a year and would do the job just fine), and install an ssh deamon. Say it has the hostname middleman.example.org.

The script to put onto your embedded devices would look like;

#!/bin/bash
ssh -i ./middle_id.pem -R 22:localhost:2222 middleuser@middle.example.org

(The private key authentication would be a way of making the login non-interactive)

The script to put onto your desktop machines would look like; (assuming the argument $1 is the IP of the embedded device, and that prod_remote_device.sh executes the above script on the chosen embedded device.)

#!/bin/bash
./prod_remote_device.sh $1
ssh -i ./device_id.pem deviceuser@middle.example.org:2222

And that should forward your connection to the embedded device.

Jonathan Hall
  • 75,165
  • 16
  • 143
  • 189
lynks
  • 5,599
  • 6
  • 23
  • 42
  • Thanks. So somewhere I need to track ports (2121 in your example) in use by this and pick a free one for use on the middleman sever? Sounds doable. – The Archetypal Paul Aug 03 '12 at 10:01
  • i **think** that should do it. although someone else might need to clarify that deviceuser@middle.example.org would actually work here, as that username is for a different machine. – lynks Aug 03 '12 at 10:10
  • @Paul and in reply to your original question, yes if you have multiple sessions open to different devices you would need some way of picking a free port, which would then need to be passed to the prod_remote_device.sh script, so it could be used from both sides. or you could just define a range and select at random until you find a free one, probably not as much of a hack as it sounds... – lynks Aug 03 '12 at 10:12
  • Thanks to lynks (and @Anders Lindahl) for your answers. For extra credit :) if I needed to make a highly-available solution (i.e. with multiple middleman servers and ideally a transparent way of using any of those that are up and runnning) any ideas on how that might be possible? – The Archetypal Paul Aug 04 '12 at 07:24
  • Hate to bang on about a provider, but AWS makes load-balancing trivial. You can set up a load-balancer on an IP, and have as many nodes as you want sat behind it (you can even programatically control the number of nodes remotely). – lynks Aug 06 '12 at 09:40
  • Yes, but the device and user both need to pick the same node, I think. Which is the tricky bit – The Archetypal Paul Aug 06 '12 at 09:55
  • That's the point of the load balancer, your node cluster pretends to be one machine, with 1 IP address. If one of the nodes has a problem the load-balancer will simply and transparently stop using it. – lynks Aug 06 '12 at 09:58
  • Yes, I know LBs :) I mean both the user and the device need to end up using port 2121 on the same host/node or they can't talk. Also, middle_id.pem will be node-dependent. – The Archetypal Paul Aug 06 '12 at 10:04
  • Yep, as soon as I typed that I realised I was completely wrong. This might be a little tricky to make horizontal, I'll have a think. – lynks Aug 06 '12 at 10:05
  • It's not necessarily a requirement for me (well, HA for the overall system is, but I can probably argue it doesn't really matter too much for ad-hoc terminal use if it's not completely transparent. Probably what to do is the user contacts the middlemen though an LB, discovers what node they ended up on, and tells the device to contact that node. – The Archetypal Paul Aug 06 '12 at 10:17
  • Assuming you can then request that node from the LB, or connect to that node directly, that should work :) – lynks Aug 06 '12 at 10:18
  • (SO is whining this is an extended discussion so last comment from me) Thanks - I'll make that a problem for our hosting team :) – The Archetypal Paul Aug 06 '12 at 10:22
0

In order to make it bind to all interfaces, use:

ssh -N -R 0.0.0.0:2222:localhost:22  root@example.com

Don't forget to edit /etc/ssh/sshd_config and go to GatewayPorts and enable it and set it to yes.

And Then connect to it from any Loopback or Ethernet interface.

Mohamad Osama
  • 858
  • 9
  • 10
0

I use socat for this exact purpose. But the data is not encrypted with socat like it is with ssh. Socat doesn't need a proxy in the middle either. great tool (yes this is an old post, but throwing this up here for anyone who may be looking into this issue)

ethernetpoison
  • 1