Is REST API over SSH possible?

Question

I am designing an API for confidential communication between an IoT device and a client. A must is that that the client-device connection is secure and no man-in-the middle can temper the communication or attack the devices, including the routing server.

The network diagram is the following:

IoT devices are always in home behind the same network.
Client devices are mobile and change networks
Clients continuously connect and disconnect to the IoT device

The clients must be able to execute commands on the IoT devices via an API server running on each IoT device. The routing server only tunnels the requests, but must not be trusted.

My question is:

What protocol should I use to implement this scheme?

I am a little confused over SSH. It seems to be the perfect fit for the secure client <--> IoT device communication over a Tunnel.

But is it possible to create a RESTful API using SSH?

I don't need direct access to the device's shell, I need a layer of abstraction, provided by an API running on the IoT device.

If SSH is not an option, can I securely route requests and execute commands on the IoT device from the Client in any other way?

SSH and REST are orthogonal. SSH carries the traffic, REST simply defines what that traffic looks like. — chepner, Feb 04 '18 at 16:21
My real dilemma is whether I should run a classical HTTPS server on the IoT devices, create a REST API with strong authentication and let Clients execute commands through it, or should I develop something on top of SSH. The goal is to let remote Clients execute certain commands on the devices safely. And wasn't SSH made for this reason? However, the clients must not see a remote shell on their smartphones, but a nice GUI — BabbevDan, Feb 05 '18 at 02:22
Do you realize that with both methods the final user will need to open ports on his firewall to allow the connection ? — n00dl3, Feb 05 '18 at 08:33
The IoT device automatically connects to the tunneling server. I consider using Ngrok link. There is no need to forward ports on both sides — BabbevDan, Feb 05 '18 at 08:50
Ah, a classic example of the Byzantine Generals Problem. If you don't trust that hunk of metal in the middle your problem becomes exponentially more difficult - https://www.microsoft.com/en-us/research/uploads/prod/2016/12/The-Byzantine-Generals-Problem.pdf - if you don't want to end up with another proof-of-work system on your hands after days (weeks?) of research, just trust the middle man, and make it an MQTT broker over TLS while at it. MQTT is a pub/sub model, HTTP is clunky and stateless, doesn't work very well in IoT. — evilSnobu, Feb 07 '18 at 22:14
Hi @BabbevDan, it has been a while since you asked the question. I guess you already had your design and implementation. Can you please share your experience? specially cons and pros on communicating through ssh? thanks. — alpera, Sep 20 '18 at 15:32

score 0 · Accepted Answer · answered Jan 04 '19 at 04:36

The way to do it is just to use HTTPS and certificate pinning (this is very similar to what SSH does under the hood).

On the first request to the IoT device, the user pins the device's certificate - after confirming that it is the correct one.

Once we have the certificate we just expose the REST API over the insecure proxy. Everything from then on is handled by the TLS protocol automatically.

The security guarantees are the same, as with the SSH protocol.

score -1 · Answer 2 · answered Nov 03 '21 at 06:54

Rest API designed to interact under HTTP protocol. SSH protocol is completely different than HTTP.

Because method calling way are different.

You can achieve encryption with HTTPS and you can still bind authentication to OS (pam).

Otherwise you can make SSH tunnel Host to Host and do HTTP calls. (Sure, you can automate all process)

Is REST API over SSH possible?

2 Answers2