Any way to remotely transfer files to/from Retropie?
-
Hi, the safest way is a VPN, many router support it. Connect to the VPN, and then with sshfs (need to install the server package in retropie) you can mount the remote filesystem. No security issue, a bit more complicated, but much better.
-
scp allows you to copy files over ssh without any fancy shenanigans. https://en.wikipedia.org/wiki/Secure_copy
-
Hi @markyh444, could you please elaborate why you'd prefer a remote session to "a pc" (I presume that you mean Windows by that) to an direct ssh connection? I'm having reservations against that approach, because
- most remote access solutions would also require port forwarding, those who don't usually rely on external third-party servers which are a security liability by themself,
- every additional layer of complexity (here: the pc's OS and its remote access software) increases the attack surface,
- in contrast, Retropie's minimal system without a desktop environment is much less complex than any extensive desktop OS,
- SSH is made for secure remote access, and
- its port can be changed to a less common one, although there are reasons to think that this is a bad idea.
For these reasons, I'd rather recommend a direct SSH connection with a strong passphrase or, even better, public key authentication to a Retropie system that should be updated regularly.
Please don't take this offensively, I'm just curious and I'd welcome a fruitful discussion about our different views in this matter, if you like. 😌 Of course, this applies to anyone reading this.
edit: typo 😒
-
@clyde Having an always-on SSH server exposed to the internet is always a risk to have your password brute-forced - see https://www.theregister.co.uk/2017/06/13/linuxmuldrop14_malware_for_raspberry_pi/. If you don't change your PI password from the default - as I assume most users don't - you'll get your system cracked easily. See this topic for an actual case of a RetroPie user.
If you use something like TeamViewer/LogmeIn, you don't need to open any additional ports and since the connection is always performed on-demand, there's an additional confirmation from the connecting parties so there's no risk of somebody else connecting to your system.
I second @markyh444 suggestion - if you don't need to permanently be connected to the system, then use something like TeamViewer, it's much safer and more user friendly (especially for non-technical users).
-
@mitu Thanks for your reply. I highly doubt that a closed-source software that circumvents router's firewalls by connecting to a third-party server is safer than an up to date SSH with a strong passphrase or public key authentication. The former may seem more convenient to the average (Windows) user, but I rate it as potentially less than more secure. See TeamViewer: Fraudulent Uses and LogMeIn Hamachi: Security for some examples as well as general security and privacy concerns.
That said, you can also use bad passwords in remote viewers, and you can also start ssh only on demand, edit: or open its ports only if needed, so I don't see those arguments in favour of the viewers. Your example doesn't say anything about SSH vs. remote viewers, but everything about weak vs. strong authentication.
-
@clyde said in Any way to remotely transfer files to/from Retropie?:
See TeamViewer: Fraudulent Uses and LogMeIn Hamachi: Security for some examples as well as general security and privacy concerns.
Just as an always-on connection for SSH poses an brute-force security risk, if you configure TeamViewer/LogmeIn as a windows service and exposed to the internet you'll get the same exposure and risk, and the same can be said for any public facing log in service (RDP). However, starting them on-demand, just when you need to connect, will not pose the same risk since there's no listening port and the connection is always approved by the destination user. For me, that's always safer than letting SSH open to the internet.
-
@clyde any remote connection exposed to the internet is a security risk. I'm a Cisco network engineer with 13 years experience and know the risks fairly well. As @mitu said, a common protocol left open is a risk to brute force attacks and exploits and I would only recommend using them if you know what you're doing and can isolate and/or protect the risk on your network. As this situation seems to involve non-technical users, a remote session to the machine via logmein or TeamViewer then SSH to the Pi makes much more sense to me. I agree that these are not without risk as well, but if only ran when required, then it should be ok. Also, it required less technical know-how that enabling and disabling port forwarding or SSH on demand imho.
-
teamviewer and putty?
-
What I would do if one of you have a decent (not cable company provided) router, set up a VPN server on the router (OpenVPN is pretty easy and has tutorials). Then the other would use their OpenVPN client to connect. Then it will be just like you are on the same network.
-
@markyh444 I agree with you that any remote connection is a security risk, sure. Not to have an opening is ofcourse more secure than to have one, as well guarded as it might be.
But I think it's not that big of a risk to leave an ssh connection exposed to the internet. As long as you set a decently strong password (I'm talking 20-30 random characters) you will be fine. The connection has to be targeted specifically (while the Pi is running or otherwise there would not be anything to target) to be brute forced or otherwise exploited which is pretty unlikely. Plus, as I suggested, the port forwarding can be disabled when not needed to further lower the risk of abuse, which should of course always be preffered to leaving the connection exposed.
Yeah, using programs like logmein or teamviewer might be slightly easier but imo port forwarding is pretty much a nobrainer with most modern (consumer) routers and besides not everybody is comfortable with using connections which are established through third party servers (those connections and connection attempts can also be tempered with).
Cheers!
-
@piratefish
I would add, if you want to leave an SSH server exposed :- Set a strong (obviously no-default) password
- Choose a random/non-default port (aka not 22). Most bots try default ports.
- Use an utility like fail2ban to avoid brute force.
With those rules, I had a computer with ssh exposed for many years without issue, but I kind of knew what I was doing and checked the logs on a regular basis., as well as potential rootkits
I second the VPN solution, as well as the on-demand remote application. -
@sano Agreed! Further security measures never hurt! If you know how to set them up, do so! :)
Just to be clear, remote applications are imo fine to use as well.
VPN would also be my personal preffered method to be honest. I just thought it might be to hard to set up properly (which is integral for security; a sloppily set up VPN might work, but might also easily be less secure than a forwarded ssh connection).
Plus, just for the record, a VPN suffers from the same "problem" of being a constantly exposed connection. ;-)Cheers!
-
@piratefish I understand that you can take measures to secure your SSH connection, which was why I said I wouldn't recommend it to people who didn't know what they were doing. If you have the technical knowledge, and can limit/isolate the risk posed, then that's fine.
The original post suggests an OK amount of technical knowledge, but not enough to recommend it as the best option in this instance.
-
What about this link to a guide I found that seems to suggest what you are looking for, but needs some software setting up on the RPI3 as well. Once its all been set it, it appears its like Remote Desktop access similiar to Windows versions
-
Thank you all for the civilized discussion I hoped for. :) I want to add that I, too, accept remote viewers as a valid option, I just prefer the KISS principle of simplicity, proven open source solutions, and as little third-party involvement as possible.
The one common thing all solutions mentioned here is that they're only as good as the passphrases or public keys used to secure them, which can't be stressed often enough.
Have a nice day
Clyde -
Wow, this discussion took on a life of its own. Very fascinating to read. I don't know, most of this sounds like it might be over the heads of my nephew, my brother-in-law, and me. I certainly don't want to do anything that will expose their network to attacks.
I think I'll just plan to do little updates and tweaks with him when I'm in town visiting. Will be a good excuse to teach him a little about tinkering with electronics and code.
Thanks again for the great suggestions.
-
@clyde That's it! The KISS principle. I like that one.
@sub_atomic I hope we did not "scare you away" from setting up a remote connection. Just take your time, read up on how to do it properly and you'll be fine.
But doing it together with your nephew is a thing that I can 100% second. Passing on the love for and knowledge of tinkering and a little coding and IT stuff is always something good. :)
Cheers!
Contributions to the project are always appreciated, so if you would like to support us with a donation you can do so here.
Hosting provided by Mythic-Beasts. See the Hosting Information page for more information.