Nitrokey/nextbox

SSH to the nextbox from outside local network when the nextbox is accessible using deSEC dynDNS

jerabaul29 opened this issue · 6 comments

I have a Nextbox set up with deSEC dynDNS. I can easily SSH to it on the local network, using the SSH key provided in the nitrokey app.

Is there an easy way to SSH to the nextbox from outside the local network? Should I 'just' add port forwarding on my router for the port 22 to the nextbox, and / or is there something more to do? Is there some hardening I should implement? How can I check for the RSA identity (can it be displayed on the nextbox app?).

Isn't this covered in #26 already ?
but in short: port-forwarding and/or ssh access is (mostly) unrelated to the dynamic dns mechanism you use.
DNS simply translates a (domain)name to an IP in order to make ssh test.dedyn.io equivalent to ssh 123.123.123.123, if this would be your current (dynamic) IP.

Is there some hardening I should implement?

See #26

How can I check for the RSA identity (can it be displayed on the nextbox app?).

Nope, it isn't, what use-case do you would like to cover with this?

Thanks. Sorry, lost track of my own old issue... Maybe these details could be added to the manual / documentation if it is not already? :)

My motivation is actually to put in place a simple backup strategy: rsync over SSH from another location on a RPi. My nextbox is not full disk encrypted, so I guess that I can just "rsync over SSH backup" the nextbox - I can let you know how it goes.

About the RSA identity display: I have always been told that I should check it when SSH-ing to a remote server to avoid man-in-the-middle attack. Is that not correct? Would it be possible to display it, guess this would be 'just' a small bit of PHP / scripting on the Nextbox app side to make it visible to the user? If this can be a possible additional best practices point indeed, it may be great to add?

interesting, actually this is a built-in ssh feature.
On a first connection your local ssh client will ask the server for a fingerprint, which is unique to this server. (this is the prompt you have to answer with "y" on first connection to a server) This fingerprint is then kept in ~/.ssh/known_hosts, you local ssh client will then on each new connection that the fingerprint matches the one inside known_hosts and will warn you accordingly if this fingerprint has changed and even forbid connecting to the server, as this might indicate a MITM attack.

Yes, exactly, so as a user you have to double check the ID / fingerprint and check that it matches the value expected the first time you connect to the SSH server, and this is especially important when connecting to a server outside of the local network...

I could I suppose 1) log in locally, 2) take note of the fingerprint, 3) check the fingerprint against the one I have taken note of when logging from a non local network, but it would be simpler if I could just see all this information in the nextbox app, hence my question / request :) .