ow many times has this happened to you: you want to access a remote server, but you can't because it is behind a firewall? I frequently found myself in such a situation when I needed to access my Internet-connected server running Linux, so I thought of a system where I could start controlling my server remotely via a simple email.
Of course, this solution had one crucial requirement: it had to be secure. The server had to respond only to senders who were identified and authorized, and the command sent to the server, along with its related output, had to travel over the wire in encrypted form. To meet these security requirements, I used the free GNU Privacy Guard (GnuPG) and some asymmetric encryption techniques (See Sidebar 1. Asymmetric Cryptography in This Solution).
GnuPG is the open source implementation of OpenPGP security software. To implement the message encryption, I employed a patent-free algorithm contained in GnuPG called the ElGamal encryption system.
This article demonstrates how my system enables you to remotely control your server in batch mode with signed and encrypted emails. It uses a fictional, authorized e-mail sender (email@example.com) and an example remote server (firstname.lastname@example.org) for the sender to inquiry. The server will run Debian Linux.
The Process Schema
The following are the steps involved in the process of controlling a server via email:
- Create the list of all authorized command senders (e.g., email@example.com).
- Let the sender generate private/public key pairs with GnuPG.
- Generate a private/public key pair with GnuPG for the server, which has the email address firstname.lastname@example.org.
- Import the sender's public key on the server keyring and server's public key on the sender's keyring.
- Let the sender sign and encrypt the command to run remotely on the server, embed it in an email, and send it to the server address.
- Let the server download the email messages and process them with a script as follows:
- Verify whether the sender is authorized.
- Decrypt and run the command.
- Capture output from stdout and stderr, possibly killing hanging commands after a reasonable period of time.
- Sign and encrypt the outputs, embed them in an email, and send the answer back to the sender address.
- Let the sender read the server outputs, verifying and decrypting its reply.