Why is this running:
Description = MyVolumio SSH Tunnel
This is basically a backdoor into the system
Killing the service does not effect anything obvious in the operation of Volumio. So what is the purpose of the ssh remote tunnel?
The subdomain also seems randomly generated to be able to identify the Volumio installation, which is also a question, why?:
this is the SSH reverse tunnel which allow to use your Volumio device when not connected to the same wireless network, via myvolumio.org (using a secure encrypted connection). It is also used for the Alexa integration. This technology will also allow the remote streaming of your music collection to your mobile phone (when we will finish this implementation).
You can read more information on this here:
So, if you disable it, you will break the remote connection capability (via myvolumio.org) and Alexa integration, but everything else will work.
While it’s a SSH tunnel, it cannot be used for remote SSH connection, so it’s not a backdoor at all.
Understand. TnX for the explanation!
Can one turn this off in the GUI?
I know it cant be used for ssh into my host, but it gives a server on the internet access to my Volumio interface, which you probably can exploit in some way to gain root and shell on the host. So, enabling a IoT to be accessed from the internet, I need to trust your setup and security monitoring and hunting capabilities etc… which I have no way of assessing. So Id rather not have it turned on by default! And I would apreciate that it was a bit clearer that your IoT is magically reachable from the internetz!
I understand your concern, in any case not being a ssh\telnet its not possible to use it to gain shell\root access to the device.
Currently there is not an explicit option to turn it off (except disabling the device from the myvolumio profile). We will add it in the next release
Strangly, at 00:00 this night, the service seems to have been redeployed, and autossh was up and running again.
It was re enabled via systemctl, and magically the ssh tunnel file in /tmp/ was back…
I cant see any obvious cron entry for this, so maybe its done through the node code?
Where do I turn this off?
Also, not sure if Volumio should be updated via apt, but doing so, there is a conflict with firmware-ralink_1%3a0.43+rpi6_all.deb
–force-overwrite works (of course), but there might be a good reason why you use the non-free version.
Things seems to work fine still though, here at least
This service is managed by the myvolumio plugin, and since it is a vital part of the ecosystem there are various fallback mechanism in place to make sure that remote connection is resilient and will be established if some issues are detected.
To turn it off, simply disable your device from the myvolumio profile page (but this will also disable myvolumio…)
We’ll add a toggle just for that in the next releases.
Doing apt-get upgrade will break your system, don’t do it. We sometimes use different firmware packages because usually new versions tend to break some PI models wifi, so we prefer to stick with known working versions.
btw, chmod 000 /tmp/sshtunnel.sh seems to do the trick!