[PLUG] Reverse SSH tunnel
Chuck Hast
wchast at gmail.com
Sat Mar 4 02:52:21 UTC 2017
The ozone machines I worked on did exactly that, the PLC in the machine
would
set up a SSH connection to the host end. From that point on, there was a
pipe
between the remote device and the host end. As far as I know there were not
issues with it as far as cracking or intercepting it. The host end was a
Linux
machine. I can not remember all of the bits and pieces but do rememeber that
was how the machines were linked to the host.
On Fri, Mar 3, 2017 at 5:03 PM, VY <vyau5678 at gmail.com> wrote:
> Thanks for the reply, I am now much more comfortable with this solution
>
> -v
>
>
> On Fri, Mar 3, 2017 at 2:28 PM, chris (fool) mccraw <gently at gmail.com>
> wrote:
>
> > I too have never heard of any problem with this setup (which I've also
> used
> > with success, including the autossh part). Would be curious to know if
> > anyone has substantive issues they can point to rather than scuttlebutt!
> >
> > On Fri, Mar 3, 2017 at 1:10 PM, Tom <tomas.kuchta.lists at gmail.com>
> wrote:
> >
> > > Reverse ssh tunnel is secure solution, if configured properly and using
> > > robust keys, access control and strong password. It keeps control over
> > > the connection with the connecting user/site as it should be in normal
> > > customer/supplier relationship.
> > > I do not want to speculate about what you've heard. If you were not
> > > told why/what the problem is, I would do due diligence on the ssh side
> > > (patching CVE reviews, access logs, configuration, best practices, key
> > > rotation, etc.), formally request details from the person making the
> > > security issue claim. If the outcome is not negative for the existing
> > > ssh proxy/tunnel a measured by data, not by fear, and there are not
> > > other considerations against it (such as maintainability, existing VPN
> > > infrastructure, etc.), I would recommend keeping it.
> > > There are many FUD type claims against openSSH, openSSL,
> > > insertYourFavouriteProtocolHere based on past issues in favor of other
> > > closed, small, not well maintained/updated alternatives. Despite the
> > > bad press/performance in the past, Network Time Protocol, OpenSSH and
> > > OpenSSL are Linux Foundation Core Infrastructure Projects for a while -
> > > with significant quantitative quality and funding improvements, reviews
> > > and full disclosures in the open.
> > > I hope it helps, Tomas
> > > On Fri, 2017-03-03 at 09:13 -0800, VY wrote:
> > > > Unfortunately, I have no access to that person anymore.
> > > >
> > > > Based on your experience, there were no issues that you have run into
> > > > with
> > > > such deployment?
> > > >
> > > > -v
> > > >
> > > >
> > > > On Fri, Mar 3, 2017 at 9:07 AM, Robert Citek <robert.citek at gmail.com
> >
> > > > wrote:
> > > >
> > > > > I would ask the person who told you that this is not secure to
> > > > > elaborate.
> > > > > I have worked with a number of companies that do this. So I am as
> > > > > curious
> > > > > as you are.
> > > > >
> > > > > Regards,
> > > > > - Robert
> > > > >
> > > > > On Fri, Mar 3, 2017 at 9:01 AM VY <vyau5678 at gmail.com> wrote:
> > > > >
> > > > > > Dear All:
> > > > > >
> > > > > > I am supporting a client that has product linux PCs running in
> > > > > > the field.
> > > > > > The person before me has built a reverse SSH tunnel (connection
> > > > > > initiated
> > > > > > by the device itself back to us and the connection is monitored
> > > > > > by
> > > > > > autossh).
> > > > > >
> > > > > > I was told this is not secure. I am no expert in security.
> > > > > > What are
> > > > > the
> > > > > > possible issues with this approach? And what would be a more
> > > > > > secure
> > > > > > mechanism than reverse SSH?
> > > > > >
> > > > > > thanks
> > > > > >
> > > > > > -v
> > > > > > _______________________________________________
> > > > > > PLUG mailing list
> > > > > > PLUG at lists.pdxlinux.org
> > > > > > http://lists.pdxlinux.org/mailman/listinfo/plug
> > > > > >
> > > > > _______________________________________________
> > > > > PLUG mailing list
> > > > > PLUG at lists.pdxlinux.org
> > > > > http://lists.pdxlinux.org/mailman/listinfo/plug
> > > > >
> > > > _______________________________________________
> > > > PLUG mailing list
> > > > PLUG at lists.pdxlinux.org
> > > > http://lists.pdxlinux.org/mailman/listinfo/plug
> > > _______________________________________________
> > > PLUG mailing list
> > > PLUG at lists.pdxlinux.org
> > > http://lists.pdxlinux.org/mailman/listinfo/plug
> > >
> > _______________________________________________
> > PLUG mailing list
> > PLUG at lists.pdxlinux.org
> > http://lists.pdxlinux.org/mailman/listinfo/plug
> >
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>
--
Chuck Hast -- KP4DJT --
Glass, five thousand years of history and getting better.
The only container material that the USDA gives blanket approval on.
More information about the PLUG
mailing list