RCE offers a built-in SSH server port, which is disabled by default: An RCE installation
does not open a port for accepting SSH connections unless explicitly configured to do
so. This port is provided using the Java library Apache SSHD (
https://mina.apache.org/sshd-project/ ). We regularily review this and
other related libraries for security updates, and issue new RCE releases when
necessary.
If RCE's SSH server port is enabled, the port number may be freely chosen.
The accounts used to log into this SSH port are completely independent of system accounts; RCE provides its own account management.
Account passwords are never saved in plaintext. For login verification, only salted BCrypt hashes are stored. SSH key files are supported.
For each SSH account, a single authorization role is selected, which defines which actions are permitted for this account (e.g. workflow monitoring).
These SSH accounts, each with its assigned role and its password hash or SSH public key string, are stored in a JSON file within the instance's "profile" directory The location of this profile directory can be customized.
Accounts can be added or removed by using a provided text mode UI, or by manually inserting or deleting entries in the JSON file.
Connecting to RCE's SSH port does not create or allow any TCP port forwardings; this feature of standard SSH is disabled.
Each RCE instance automatically creates its own SSH server key pair once the SSH port is enabled. The key data is stored in the RCE instance's profile directory.
Client-side strict host key checking is disabled, and a warning is logged when the server-side key has changed. As the SSH login only provides a first line of security, with the actual service security provided by the RCE authorization system, even a successful MITM attack would not have a significant impact. Additionally, without access to the real login credentials, an attacker would have to perform successful MITM attacks on all incoming connections to the relay server, effectively replacing it completely. Such a scenario is highly unlikely, especially because even on success, such an attack would not impact the security of the service authorization system itself (as noted above).
RCE's SSH port supports three modes of operation:
a custom command shell for RCE administration commands; Unlike standard SSH, this feature never provides a direct system shell.
the deprecated "SSH Remote Access" feature (to be replaced in RCE 11.0);
the new "SSH Uplink" feature (released as experimental feature in RCE 10.0)
The latter SSH Uplink feature is the recommended mode for offering tools as services to users outside of your organization. Unlike "SSH Remote Access", this mode was specifically designed for this purpose. Further, a special SSH authorization role is provided to restrict SSH accounts to using this mode exclusively. Notably, this also completely disables access to the interactive RCE command shell.