This is just an update about my recent questions regarding how to transfer files reasonably securely (as in system security rather than confidentiality of file content) from a remote unattended system.
I have what seems to me to be a satisfactory solution that also makes some other things a bit easier.
While hunting around for ideas and solutions for this and other issues I came across an explanation and examples of the use of ProxyCommand in the ssh config file. This has provided me with my solution.
Just to recap, the remote system is a Beaglebone Black running Ubuntu which is on our boat in France monitoring temperatures, battery voltages, etc. It's connected to the internet via a WiFi hotspot so is behind a NAT router (presumably) and a firewall which are out of my control.
So, to make the BBB accessible it runs an ssh tunnel to an intermediate system (my web hosting provider) where I have an ssh login account. To maintain this connection through power failures and/or other glitches I run ssh on the BBB using autossh:-
autossh -N -R ?????:localhost:22 -l isbdnet3 <host on the internet>
(port number masked to ??????, there's a real number there of course)
To connect from home to the BBB I used to ssh from home to <host on the internet> and then from there, via the tunnel, to the BBB. The reason for the intermediate system is that my home firewall only allows connections from <host on the internet> and a couple of other specific IP addresses. (This is to protect my home system from long term attacks using ssh)
Adding a ProxyCommand to my ssh config at home allows me to connect 'directly' from my home system to the BBB, the line is:-
Host bbb ProxyCommand ssh <host on the internet> nc -q0 localhost ?????
Now I can just 'ssh bbb' and it goes straight to the BBB.
Even better and more importantly it means that I can use sshfs to mount a directory from the BBB onto my home system, thus I can:-
sshfs bbb:tmp odin
... and the files being stored in ~/tmp on the BBB appear on my home desktop in ~/odin. This means I can manipulate them as required (which means add the values to a database) *and* when this has been done I can delete them safely, ideal! :-)