Protocol for remote serial port, with authentication and encryption

Question

I'd like to make a serial port available over the network. RFC-2217 provides extensions to Telnet to transport extra serial port info such as speed, data bits, stop bits, and hardware handshaking lines.

However, I want to ensure it's not freely accessible to just anyone on the network, so I want to do authentication and encryption. Telnet is weak on authentication and does not provide encryption. SSH is generally preferred over Telnet.

Is there any protocol that allows serial port transport through SSH, similar to RFC-2217?

I realise one option could be to tunnel Telnet + RFC-2217 through an SSH tunnel. That is technically achievable, though in practical terms it's a little awkward.

Zeroconf

The other question is, how could such a port be advertised with Zeroconf DNS-SD? E.g. how could a Telnet + RFC-2217 serial port, that is tunnelled through SSH, be advertised with Zeroconf? (plain Telnet + RFC-2217 might be advertised as _telnetcpcd._tcp from what I can tell.)

Answer 1

I'm not sure that SSH tunneling is as awkward as you think:

-W host:port
Requests that standard input and output on the client be forwarded to host on port over the secure channel. Implies -N, -T, ExitOnForwardFailure and ClearAllForwardings and works with Protocol version 2 only.

Here's what tunneling a short SMTP session looks like (typed input in bold):

$ ssh -W mail.server.com:25 [email protected]
220 mail.server.com ESMTP 
Postfix
ehlo foo.com
250-mail.server.com
250-PIPELINING
250-SIZE
250-ETRN
250-AUTH LOGIN PLAIN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye

No separate setting up a tunnel and then connecting to that port, just piping input and output from the ssh process.

Answer 2

What you want is a secured serial-over-LAN connection.

The reason why you don't find any free project which does this is simple – most open source projects seperate the transport layer security from the protocol (for good reasons). Instead of re-inventing the wheel for every application, you can just re-use the security component (SSH in this case) and apply it to your unsecured protocol (RFC-2217-compatible, for example).

Just use a SSH tunnel or stunnel to secure the connection. For Windows clients, you can use com2com and for *nix systems something like ttyd.

com2com, for example, does not even requires to be started manually after initial setup, so your users only have to establish a SSH tunnel (through PuTTY, for example).

• com2com
• socat, using pty and openssl-listen you can do pretty much exactly what you want (slightly contradicts what I wrote above because it actually does implement transport layer security)