The other week I was developing an application system which included distributing Raspberry Pi(or very similar SoC-devices) to physical locations which I would not have easy access to. The need to somehow get shell access to these devices became apparent right away. Not for the direct running and managing of the application itself, but for monitoring and manual error management which will eventually be required. To accomplish this I developed the ssh-hub project which provides a way to centrally manage a set of reverse SSH tunnels for a set of Raspberry Pi’s as well as provide a simple way to execute shell commands on the remotely located devices.

In my use case the reverse SSH tunnels provides the same features that a dynamic DNS would; the ability to address each of the SoC terminals directly even through none of them have a static IP assigned. More then that; a reverse ssh tunnel also bypasses many of the network quirks that may lie between the Pi and the internet, such as NATs.

The ssh-hub service provides a crud-like REST interface for managing terminals in the set. Adding a terminal generates a linux user on the machine which runs the ssh-hub service. This operation generates two sets of RSA-keys. One pair for client to server access (with very limited privileges) which when installed on the Raspberry Pi allows it to establish a reverse SSH tunnel to the ssh-hub machine. The other key pair allows the ssh-hub to access the Raspberry Pi’s sshd through the open reverse SSH tunnel.

The create operation in the crud REST interface also generates a tar.gz package which needs to be transferred to the Raspberry Pi offband. You could potentially serve the client_package.tar.gz through the REST interface as well, but I haven’t figured out a safe way to do it. The package contains a script which creates the required user on the Raspberry Pi, installs the relevant ssh keys and ensures that a persistent ssh reverse tunnel is established from the Raspberry Pi and the ssh-hub server whenever the Raspberry Pi is started.

Once this is done the POST method /terminals/[terminal_id]/run can be used to send plain/text HTTP body content containing arbitrary commands to the Raspberry Pi’s managed by the ssh-hub. Response body will contain the standard out and standard error of the executed command. Alternatively an administrator could use ssh access to the ssh-hub machine to gain direct ssh access to the different attached Pi units.

It is probably worth pointing out that it is not recommended to let the ssh-hub rest interface be publicly accessible. It is currently only secured by basic-auth .

When I tested the system the ssh-hub instance was installed on an ubuntu server and the Raspberry Pi units ran a recent version of the raspbian distribution (debian based).

P.S. the head of the ssh-hub repository is not yet completely tested.I do not have access to all the hardware required. Will update the post as soon as this is done. I have a working copy. It is just not as pretty as the head. If you intend to use it right away, be ready for some tweaking.