On 27/10/2020 15:40, Martin Gregorie wrote:
> On Tue, 27 Oct 2020 12:34:48 +0000, Chris Green wrote:
>
>> Dr Eberhard Lisse  wrote:
>>>
>>> On 27/10/2020 12:28, Chris Green wrote:
>>>> Jan Novak  wrote:
>>> [...]
>>>> So you need to set up reverse tunnel outgoing connections from your
>>>> Pi, this you have to do with access to it of course. Then, once
>>>> that's done you can access it using ssh from 'outside'.
>>>>
>>>> If you want to know more then just ask.
>>>>
>>>>
>>> I might have use for something like this (for a host which I can access
>>> via AnyDesk, but not SSH, at the moment.
>>>
>>> Where can one read up on how to do this?
>>>
>> In various places, it's not really "all in one place".
>>
>> If you look for 'ssh reverse tunnel' you will find how to do the ssh
>> bit.  Basically it uses the -R option of ssh so that a 'remote' system
>> you have connected to from your Pi using ssh can connect back through
>> the same connection *to* the Pi.
>>
>> The ssh man page explains it moderately well but you might want to try
>> searching for some examples as well, you do need a clear mind to set it
>> up right.  :-)
>>
>> My Beaglebone Black (the system like a Pi) is on a boat in France behind
>> a commercial WiFi system, so I run the following on it:-
>>
>>      ssh -nNT -R 51236:localhost:22 chris@
>>
>> This connects port 22 (the sshd server port) on the Beaglebone to port
>> 51236 on myhost.  Then all you need to do is connect to port 51236 on
>> myhost and you actually connect to the Beaglebone.  I.e.  you just do
>> 'ssh -p 51236 localhost' on myhost to connect through the reverse
>> tunnel.  The 51236 is just a random port number, greater than 1024 so
>> that it can be used by a non-root process.
>>
>>
>> To make this more robust I use a litte utility called autossh on the
>> Beaglebone to make the outgoing connections, this restarts ssh if it
>> dies, etc.  You can find out about that by searching too and it's rather
>> less confusing so I won't say any more here.
>
> Chris,
>
> Why not simply run sshd on the RPi?
>
> I do that on my LAN. ssh, git and gftp (using sftp protocol) all connect
> to my RPi successfully. Presumable
>
> So, why use the reverse SSH setup rather than running sshd behind a
> firewall on the RPi with the firewall configured to only accept
> connections from your other systems?
>
I have sshd running wide open on two public servers. Although they are
attacked constantly - several per second attempts - no one has ever
guessed my username and password, which is the only one that allows a
login...

..and if someone does, then I will restore from backup and change them....

People are too precious about security.
> Or configure the sshd server to only accept connections from IP addresses
> and/or hostnames that you control rather than using the firewall to do
> that?
Heck I run NFS over the internet with just access allowed from my
private IP range

I don't see why if he wants to see a desktop on the Pi remotely he does
not just run an X server to a remote client.
Its slow, but it does work.

Or build a web app that allows you do to what you need on the remote systems

Essentially that's how I run my servers - web apps, NFS and in extremis
ssh and su - root...

>
> I'm not knocking your approach, simply curious about what problems
> reverse SSH solves that using a firewall or a suitably configured copy of
> sshd can't handle.
>
>
I think that you can tell sshd to reject name/password in favour of some
massive length key...that is more secure than a password...


--
"When one man dies it's a tragedy. When thousands die it's statistics."

Josef Stalin

--- SoupGate-Win32 v1.05