You could, but I'm not sure that's a good idea security-wise. Also how would you interact with commands that require interaction?
this post was submitted on 30 Dec 2025
23 points (96.0% liked)
Linux
10863 readers
813 users here now
A community for everything relating to the GNU/Linux operating system (except the memes!)
Also, check out:
Original icon base courtesy of lewing@isc.tamu.edu and The GIMP
founded 2 years ago
MODERATORS
Hm... I'd run the script/service with root privileges and make the commands concise one-liners, maybe... I'm actually only looking at the shutdown command , presuming that it does sync and umount gracefully...
Maybe I could reduce security risks by creating a user that can only run shutdown. And make it so that only that user can access (download, print, execute) emails?
Or don't execute she'll commands written in the email, and instead have a plain English command that, if detected, triggers a specific shell command. That way nobody could arbitrarily run code, only the commands you've built into the listener.
I'm not sure that's a good idea security-wise.
You could always sign the messages with GPG or S/MIME.
Sounds like ~~A/B~~ X/Y problem.
If you just want to ssh into it - there is a thing that you can find by searching "reverse remote shell over HTTPS/WebSocket".
Solutions like these pop up, but I have not personally used any of them:
- Upterm
- WebTTY
- sshx
- Teleconsole
- tmate
Check out whether they could do what you want them to do.
*xy problem. A/B is a user testing thing.
right, right, sorry, my brain is foggy rn.
This.
Look at tailscale.
This is the best solution. Look into Tailscale, it's brilliant for your use-case.
Seconded - just use Tailscale and SSH.
Something like selfhosted Matrix might be better securitywise. Email is pretty unsecure, anyone could send an email to you with a command. But with Matrix you'd at least need a token.
Plus there are plenty of hooks/bots you can add to Matrix. NodeRed is an easy one for automations. Send a message to a channel, and it executes different automations. Can easily be a shutdown/ssh command.
Do you mean you're behind a NAT and can't forward maybe?
Tailscale or ZeroTier will work around that.
If you can arrange a fixed IP address externally (or dynamic DNS that follows your IP around) you can set up a reverse SSH connection instead.
Basically your server connects to your external computer via SSH and then sets up port forwarding so that when you connect to localhost:2222 or similar on your PC, you're actually connecting back to the server.
Now THAT sounds like a smart solution! I'll look into it! :) I can ask my ISP to give me a static address for my home. But something needs to prompt the ssh command "at home" to connect to my second computer, right (actually Termux on my Android phone)?
It can be a Cron job that runs every minute. Run a script that:
- Checks for the existence of a file, if it exists, exit.
- (Optional) ping your end, if it's up, continue, otherwise exit
- Touches said file.
- Runs SSH to try and connect to your end. If the connection is made everything halts here until the connection drops.
- Cleans up said file.
- Exits.
I just use autossh for it.
I run an ssh connection to a VPS I pay like $5, which forwards a port there. The screen in the following command isn't required, but I have it so I don't have to keep the terminal window open.
screen -d -m -S autossh.eastusa.keepalive autossh -M 33333 -R VPS_IP_HERE:5555:localhost:22 root@VPS_IP_HERE
Then from other computers, to connect back
ssh -L 5555:localhost:5555 root@VPS_IP_HERE
ssh root@localhost -p 5555
For remote computers connecting back, the first ssh connects to the VPS and forwards a port to the remote computer. Then the 2nd ssh connection uses the forwarded port to complete the ssh connection to the computer behind the IP that can't port forward.
After thinking about it for a moment, if you don't want to pay for a VPS, I think you can run a hidden service with Tor then just use the onion address to ssh back into the computer. I found this guide. I haven't done it, but it seems like it should work.
Thanks! I'll noodle it around a little. :)
@emotional_soup_88 possible, but sounds like an extremely bad idea. If you can send commands, then everybody else can.
True. Hadn't thought of that. Maybe I could make the address extremely long and arbitrary? And "hide" it behind my e-mail alias service?
But I absolutely understand the security implications.
Security by obscurity as single line of defense is generally not a good idea.
And then there is user management and permissions that I could sprinkle on top that.
Yes but your script can check who the email is from and check its certs before doing any operations on it. The only security issue is the email being read in transit but that can be worked around by not sending sensitive info.
It's possible—I've used Perl scripts to pull data automatically out of email attachments stored in a maildir setup, and you should be able to pick commands out of a plain-text email body with a scripting language even more easily—but I will add my voice to the chorus that's saying you should look into any other method you can find before settling on this. If it turns out you must proceed along these lines, think long and hard about security.
There are a couple of apps on f droid that implement this with SMS.
Meshvpn like zerotier?
I'll check it out.
Yes, that is technically possible, but you’ll probably have to design it yourself, because I don’t think anyone else has/will. You need to really consider the security implications of this kind of setup. If anyone discovers how to send an email in the way you’re talking about to your box, they would 100% be able to take over your box.
I've never needed to do this but have you looked into creating a Reverse SSH Tunnel? Maybe that can accomplish what you want https://www.howtogeek.com/428413/what-is-reverse-ssh-tunneling-and-how-to-use-it/
Similar to what you are trying to do - A while back when I needed to remote connect to a firewalled Windows computer I set up a reverse VNC connection on that Windows computer that would get initiated whenever I sync'd a file over to the Windows system via Dropbox/Syncthing (those work without port forwarding). Reverse VNC, like Reverse SSH or other connections basically try to initiate the connection out of the firewalled system, it's an interesting workaround when you have no incoming port forwards. Not sure if I'd recommend that type of set up but it is more secure than sending emails so there's that.
If you're able to set up a mesh VPN that might work better but you do have other options if you need them.