Consider using socat instead of SSH for the reverse tunnel

[Arkanosis]

socat is an interesting alternative to SSH to establish the reverse tunnel, with both pro and cons:

• pros:
  • the server does not need a passphrase-less private key (no need for a ssh-keygen);
  • the server does not need to know the client's SSH server public key (no need for a known_hosts);
  • the client does not need a SSH server (ie. no sshd configuration, lower attack surface);
  • the client does not need to know the server's SSH client public key (no need for a authorized_keys);
  • the client does not need a rssht-user restricted account;
  • the user does not need to be root on the client;
• cons:
  • the server can't check the client is known (no known_hosts);
  • the client can't control who connects to it (no sshd configuration, no authorized_keys);
  • default fail2ban rules do not apply (new rules could be written, though);
  • the client should setup a restricted account (or some kind of sandbox) anyway, given the security history of socat.

socat looks much more convenient to setup, but a bit less secure. As an alternative tunnel protocol, that would be a significant improvement in usability.

BTW, as a custom program is needed on the client anyway (#6, monitoring…), building something similar to socat with some additional security features could bring the best of all worlds.