Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is REST API over SSH possible?

I am designing an API for confidential communication between an IoT device and a client. A must is that that the client-device connection is secure and no man-in-the middle can temper the communication or attack the devices, including the routing server.

The network diagram is the following:

enter image description here

  • IoT devices are always in home behind the same network.
  • Client devices are mobile and change networks
  • Clients continuously connect and disconnect to the IoT device

The clients must be able to execute commands on the IoT devices via an API server running on each IoT device. The routing server only tunnels the requests, but must not be trusted.

My question is:

What protocol should I use to implement this scheme?

I am a little confused over SSH. It seems to be the perfect fit for the secure client <--> IoT device communication over a Tunnel.

But is it possible to create a RESTful API using SSH?

I don't need direct access to the device's shell, I need a layer of abstraction, provided by an API running on the IoT device.

If SSH is not an option, can I securely route requests and execute commands on the IoT device from the Client in any other way?

like image 793
BabbevDan Avatar asked Feb 04 '18 10:02

BabbevDan


People also ask

Is SSH RESTful?

SSH and REST are orthogonal. SSH carries the traffic, REST simply defines what that traffic looks like. Do you realize that with both methods the final user will need to open ports on his firewall to allow the connection ?

Is SSH an API?

SSH CLI API - DetailsSSH (SSH client) is a program for logging into a remote machine and for executing commands on a remote machine. ssh connects and logs into the specified hostname with user name.

Is REST API outdated?

In short, all panelists agree that REST is still a relevant and useful style. One reason is that REST was designed to last. “If you are building an API product that will be consumed by clients you have no control of, it should scale indefinitely and last for decades,” said Z.


1 Answers

The way to do it is just to use HTTPS and certificate pinning (this is very similar to what SSH does under the hood).

On the first request to the IoT device, the user pins the device's certificate - after confirming that it is the correct one.

Once we have the certificate we just expose the REST API over the insecure proxy. Everything from then on is handled by the TLS protocol automatically.

The security guarantees are the same, as with the SSH protocol.

like image 82
BabbevDan Avatar answered Sep 19 '22 13:09

BabbevDan