This is just an update about my recent questions regarding how to
transfer files reasonably securely (as in system security rather than
confidentiality of file content) from a remote unattended system.
I have what seems to me to be a satisfactory solution that also makes
some other things a bit easier.
While hunting around for ideas and solutions for this and other issues
I came across an explanation and examples of the use of ProxyCommand
in the ssh config file. This has provided me with my solution.
Just to recap, the remote system is a Beaglebone Black running Ubuntu
which is on our boat in France monitoring temperatures, battery
voltages, etc. It's connected to the internet via a WiFi hotspot so
is behind a NAT router (presumably) and a firewall which are out of my
control.
So, to make the BBB accessible it runs an ssh tunnel to an
intermediate system (my web hosting provider) where I have an ssh
login account. To maintain this connection through power failures
and/or other glitches I run ssh on the BBB using autossh:-
autossh -N -R ?????:localhost:22 -l isbdnet3 <host on the internet>
(port number masked to ??????, there's a real number there of course)
To connect from home to the BBB I used to ssh from home to
<host on the internet> and then from there, via the tunnel, to the BBB.
The reason for the intermediate system is that my home firewall only
allows connections from <host on the internet> and a couple of other
specific IP addresses. (This is to protect my home system from long
term attacks using ssh)
Adding a ProxyCommand to my ssh config at home allows me to connect
'directly' from my home system to the BBB, the line is:-
Host bbb
ProxyCommand ssh <host on the internet> nc -q0 localhost ?????
Now I can just 'ssh bbb' and it goes straight to the BBB.
Even better and more importantly it means that I can use sshfs to
mount a directory from the BBB onto my home system, thus I can:-
sshfs bbb:tmp odin
... and the files being stored in ~/tmp on the BBB appear on my home
desktop in ~/odin. This means I can manipulate them as required
(which means add the values to a database) *and* when this has been
done I can delete them safely, ideal! :-)
--
Chris Green