None. But then maybe we do and don't know it. When I set up a reverse tunnel, I take a number of precautions. I use large ssh-keys and strong ciphers/MACs. The jump box has limited access and capabilities. The target account on the jump box is locked down (i.e. ssh-key access only, incoming only from source system IP, password is random and unknown, etc.). To access the source system, you first have to log in to the jump box with your account (again, ssh-key only, unknown-random password,etc.) Finally, you need an account on the source system.
That's the simple setup. You can get more fancy with Multi-Factor Authentication, IDS, non-obvious ports, port-knocking, etc. Hack proof? No, as nothing ever is. But the probability is pretty small. If there's a weakness, my guess would be that it's not with the reverse tunnel, the source system, or the jump box, but with whatever system you use to access those. There are easier ways to access the source system than trying to crack into an ssh system: https://xkcd.com/538/ Good luck and let us know what you discover. Regards, - Robert On Fri, Mar 3, 2017 at 9:13 AM, VY <vyau5...@gmail.com> wrote: > Unfortunately, I have no access to that person anymore. > > Based on your experience, there were no issues that you have run into with > such deployment? > > -v > > > On Fri, Mar 3, 2017 at 9:07 AM, Robert Citek <robert.ci...@gmail.com> wrote: > >> I would ask the person who told you that this is not secure to elaborate. >> I have worked with a number of companies that do this. So I am as curious >> as you are. >> >> Regards, >> - Robert >> >> On Fri, Mar 3, 2017 at 9:01 AM VY <vyau5...@gmail.com> wrote: >> >> > Dear All: >> > >> > I am supporting a client that has product linux PCs running in the field. >> > The person before me has built a reverse SSH tunnel (connection initiated >> > by the device itself back to us and the connection is monitored by >> > autossh). >> > >> > I was told this is not secure. I am no expert in security. What are >> the >> > possible issues with this approach? And what would be a more secure >> > mechanism than reverse SSH? >> > >> > thanks >> > >> > -v >> > _______________________________________________ >> > PLUG mailing list >> > PLUG@lists.pdxlinux.org >> > http://lists.pdxlinux.org/mailman/listinfo/plug >> > >> _______________________________________________ >> PLUG mailing list >> PLUG@lists.pdxlinux.org >> http://lists.pdxlinux.org/mailman/listinfo/plug >> > _______________________________________________ > PLUG mailing list > PLUG@lists.pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug _______________________________________________ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
