I have a Raspberry Pi behind an LTE-router to connect to the internet. The LTE router prevent the Pi to get assigned a static IP, so I created a service that builds a reverse ssh tunnel with auto-ssh to my private Server to be able to access my pi remotely. The problem is now, if someone gets the SD card of the Pi, he can read the private key from the file system and has access to my server.
Is there any way to protect my server from access through the ssh connection with this key while keep the abillity to build a reverse tunnel wihtout password?
The server is hosted by strato, which is managed by Plesk, so every domain has its own vhost file system in /var/www/vhost/domain.de. Would it be possible to isolate this space for the ssh access with exact this key on the Pi, so the Client can only see whats inside this folder? Or ist there any other solution for my problem?
Create a new (tunnel) key on the raspberry, only to build the reverse tunnel to your strato server.
On your strato server add the public key into .ssh/authorized_keys, but add in front
command=/bin/false ssh-rsa ....
To connect you have to add -N to ssh this will build a tunnel but doesn't try to open a shell.
Now it's unimportant if that key get lost, as it can only build a reverse tunnel, but can not open a shell.
You can even use that key for all raspi's to build individual reverse tunnels.
Obviously, you add on your raspi in .ssh/authorized_keys only your user key, not the tunnel key