SSH No Ports uses Atsign’s end-to-end encrypted control plane to initiate SSH connections without opening ports on either of your devices.
Atsign’s Core Technology (a.k.a. Control Plane)
Atsign’s patent pending core technology is engineered to deliver the following benefits:
Atsign’s core technology uses identifiers which replace the need to manage IP addresses. If you remember the atSign (Atsign’s version of an address), you can look up the IP address and port in the atDirectory which manages this information for you.
Atsign’s core technology provides each device with its own microservice which makes it reachable from anywhere on the Internet.
- No open ports (no network attack surface) on the device
Connections are always made from the device to the microservice, meaning that no ports ever need to be opened on devices using this technology.
- End-to-end encrypted
Information is automatically encrypted on the edge devices before it is sent over Atsign’s control plane.
- Zero Trust
Atsign’s technology is designed so that cryptographic keys are only stored on the edge device. No third party or intermediary ever possesses the decryption keys which are required to access the information. You don’t need to trust any of the microservices, because they never see information in the clear.
In other words, sending information using Atsign’s control plane requires no open ports and is fully edge-to-edge encrypted, all without needing to know the IP address of the device!
How SSH No Ports uses Atsign’s Control Plane
- Alice wants to securely connect to her remote device, @alice_device.
- To initiate this, Alice’s client, @alice_client, will first select a socket rendezvous, or SR for short.
- The SR will issue two connection ports to @alice_client by providing the host address and two port numbers. This is done through Atsign’s control plane, and the information is end-to-end encrypted.
- Next, @alice_client requests a connection to @alice_device and shares one port from the Socket Rendezvous (which we abbreviate to SR).
- The device, @alice_device, generates a new ephemeral SSH key pair for the session.
- @alice_device automatically sends the ephemeral SSH private key to @alice_client.
- @alice_device will then forward its SSHD port to the SR using Atsign’s SSHRV client.
- This enables @alice_client to SSH to the SR using the second port.
- The Socket Rendezvous connects both ports that are issued to @alice_client.
- An SSH tunnel from @alice_client is created over the connected tunnel through the SR to @alice_device.
- This tunnel forwards an ephemeral port on @alice_client’s localhost to @alice_device’s SSHD port.
- Now the connection is ready! The application will provide an SSH command which can be used to connect over this tunnel.
- When running the command, Alice will be able to SSH connect to @alice_device!
- Alice has successfully connected to her remote device, @alice_device.