![]() ![]() This server should only be reachable from the api-server.Normally, an SSH client would connect to an SSH server for SSH access.īut if you want SSH access to the SSH client from the SSH server? That’s when you setup a SSH reverse proxy tunnel. This server runs the database containing all the device keys in a MariaDB server (high performance, more secure and better version of MySQL). It is build with NGINX high performance web server and FPM-PHPĭocumentation is generated with swagger we did in the www-data/doc directory: composer require alt3/cakephp-swagger This server runs the REST interface to easily add new IoT devices and get the credentials needed to connect to a specific device. The ports 10000 till 20000 need only be reachable from your internal network each giving access to a different IoT device (with device-specific credentials). Server should be reachable from the internet on port 22 only. If you need to connect to an IoT device, you will also use this server combined with the device-specific credentials stored on the key-db-server. ![]() Here the IoT devices connect to to activate the Reverse SSH Tunnel. Different docker containers:ģ Different containers are created: master-ssh-server Additionally, access from the IoT device is limited to the setup of an ssh tunnel not providing any shell access. We do however consider this an ugly hack.It should not be too hard to make this change (or the port configurable).Ī unique key for each IoT device ensures one customer cannot access data from another customer not even if they manage to get physical access to the other network, nor through the reverse ssh tunnel. It is possible to run this instead on port 443 (used for HTTPS) which might have a higher chance of traversing corporate firewalls. For corporate environments it's a clear requirement for this. In many home NAT situations all outgoing traffic is allowed. It means the IoT devices will use port 22 to the server to initiate the reverse ssh tunnel, so for the IoT devices the requirement is: allow outgoing traffic on port 22. This is the nicest from internet perspective. It is possible to run this on another port, but port 22 identifies this as SSH traffic, which it is. On a public IP one (or more) master-ssh-server(s) needs to reachable on port 22. connect.sh -m 92:be:bf:83:6e:b7 General Architecture Network requirements for a device with unique id: 234DNJE4 and MAC-address: 92:be:bf:83:6e:b3 This script is immediately also an example how the API can be used.Į.g. This access will be logged to prevent abuse and allow auditing. The connect.sh script allows you to just specify the device ID or MAC-address, and provided you have access to the api-server and master-ssh-server, allows you to connect to any device. This needs access to the api-server, and this should not be possible from a public internet connection (except temporary in an initial-migration-scenario with a limited number of test devices in the field). This typically is performed at initial software loading or at the factory or testing/assembly facility. We presume each device has a unique MAC-address and/or ID to identify itself for new-device creation. Because the servername is device-specific, we can grow the infrastructure to more than the 10.000 device limit per master-reverse-ssh-server. This information is storedon the device and in the key-db-server. a device specific port number and servername which will be used for setting up the reverse tunnel to the correct server and on the correct port.the device specific encoded password which will be stored on the device in the /etc/shadow file.This will be stored on the key-db-server encoded using the 'master password'. a device specific password which can be used to gain shell access using SSH to the IoT device.This way you can add a new IoT device and load it with a device-specific key, port number and servername.Įach device has information associated with it which is stored at different locations: Just bring it up:ĭocker-compose up API documentation New Device Creation The docker containers needed are defined in docker-compose.yml and the corresponding dockerfiles. Make sure you have already installed both Docker Engine and Docker Compose.Īnd the port number for ssh here if needed: Setup in a containerised environment with unique device keys. Reverse ssh tunnel to access IOT device behind NAT. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |