Edit/Solved: Thank you for all the great input! Both on alternative solutions and on security implications. I’m going to make a draft on how I would setup the e-mail method as securely as possible as a programming/scripting exercise, but will IRL probably end up using either some reverse tunnel/shell variant.
Edit 2: or, as a hardware solution, install an extra NIC that I expose to the opennet - thus enabling remote port forwarding - while binding all my sensitive processes/traffic to my encrypted NIC.
I cannot ssh into my Linux box from outside of my LAN since I’m behind a VPN that doesn’t support port forwarding. Is it possible to make my Linux box receive, interpret and execute commands through e-mail instead? I’ve tried looking for answers through DuckDuckGo’s search engine, to no avail. If I may dream, I would like to setup an e-mail server with a systemd service or just run a script that continuously downloads the emails, prints their content to stdin and executes, perhaps through command substitution, whatever is in stdin.
You must log in or register to comment.
You could, but I’m not sure that’s a good idea security-wise. Also how would you interact with commands that require interaction?
Hm… I’d run the script/service with root privileges and make the commands concise one-liners, maybe… I’m actually only looking at the
shutdowncommand , presuming that it doessyncandumountgracefully…Maybe I could reduce security risks by creating a user that can only run
shutdown. And make it so that only that user can access (download, print, execute) emails?Or don’t execute she’ll commands written in the email, and instead have a plain English command that, if detected, triggers a specific shell command. That way nobody could arbitrarily run code, only the commands you’ve built into the listener.
I’m not sure that’s a good idea security-wise.
You could always sign the messages with GPG or S/MIME.
Sounds like
A/BX/Y problem.If you just want to ssh into it - there is a thing that you can find by searching “reverse remote shell over HTTPS/WebSocket”.
Solutions like these pop up, but I have not personally used any of them:
- Upterm
- WebTTY
- sshx
- Teleconsole
- tmate
Check out whether they could do what you want them to do.
*xy problem. A/B is a user testing thing.
right, right, sorry, my brain is foggy rn.
This.
Look at tailscale.
This is the best solution. Look into Tailscale, it’s brilliant for your use-case.
Seconded - just use Tailscale and SSH.
Something like selfhosted Matrix might be better securitywise. Email is pretty unsecure, anyone could send an email to you with a command. But with Matrix you’d at least need a token.
Plus there are plenty of hooks/bots you can add to Matrix. NodeRed is an easy one for automations. Send a message to a channel, and it executes different automations. Can easily be a shutdown/ssh command.
@emotional_soup_88 possible, but sounds like an extremely bad idea. If you can send commands, then everybody else can.
Yes but your script can check who the email is from and check its certs before doing any operations on it. The only security issue is the email being read in transit but that can be worked around by not sending sensitive info.
True. Hadn’t thought of that. Maybe I could make the address extremely long and arbitrary? And “hide” it behind my e-mail alias service?
But I absolutely understand the security implications.
Security by obscurity as single line of defense is generally not a good idea.
And then there is user management and permissions that I could sprinkle on top that.
Do you mean you’re behind a NAT and can’t forward maybe?
Tailscale or ZeroTier will work around that.
If you can arrange a fixed IP address externally (or dynamic DNS that follows your IP around) you can set up a reverse SSH connection instead.
Basically your server connects to your external computer via SSH and then sets up port forwarding so that when you connect to localhost:2222 or similar on your PC, you’re actually connecting back to the server.
Now THAT sounds like a smart solution! I’ll look into it! :) I can ask my ISP to give me a static address for my home. But something needs to prompt the ssh command “at home” to connect to my second computer, right (actually Termux on my Android phone)?
It can be a Cron job that runs every minute. Run a script that:
- Checks for the existence of a file, if it exists, exit.
- (Optional) ping your end, if it’s up, continue, otherwise exit
- Touches said file.
- Runs SSH to try and connect to your end. If the connection is made everything halts here until the connection drops.
- Cleans up said file.
- Exits.
Thanks! I’ll noodle it around a little. :)
It’s possible—I’ve used Perl scripts to pull data automatically out of email attachments stored in a maildir setup, and you should be able to pick commands out of a plain-text email body with a scripting language even more easily—but I will add my voice to the chorus that’s saying you should look into any other method you can find before settling on this. If it turns out you must proceed along these lines, think long and hard about security.
There are a couple of apps on f droid that implement this with SMS.
Meshvpn like zerotier?
I’ll check it out.
Yes, that is technically possible, but you’ll probably have to design it yourself, because I don’t think anyone else has/will. You need to really consider the security implications of this kind of setup. If anyone discovers how to send an email in the way you’re talking about to your box, they would 100% be able to take over your box.
I’ve never needed to do this but have you looked into creating a Reverse SSH Tunnel? Maybe that can accomplish what you want https://www.howtogeek.com/428413/what-is-reverse-ssh-tunneling-and-how-to-use-it/
Similar to what you are trying to do - A while back when I needed to remote connect to a firewalled Windows computer I set up a reverse VNC connection on that Windows computer that would get initiated whenever I sync’d a file over to the Windows system via Dropbox/Syncthing (those work without port forwarding). Reverse VNC, like Reverse SSH or other connections basically try to initiate the connection out of the firewalled system, it’s an interesting workaround when you have no incoming port forwards. Not sure if I’d recommend that type of set up but it is more secure than sending emails so there’s that.
If you’re able to set up a mesh VPN that might work better but you do have other options if you need them.
