Skip to content

Remote Plugin Configuration

Overview

The Remote plugin lets your operators take remote control of devices: it opens, monitors, and closes encrypted tunnels for remote access and targeted file transfers.
Built for AMQP-over-TLS, it glides through outbound firewalls and reuses your existing Ident/Token credentials.

Function Description
Tunneling Creation of end-to-end encrypted TCP tunnels driven by messages (create / close).
Key management Automatic publication of the SSH-ED25519 public key to the platform, with live key rotation.
Heartbeat Periodic alive message for supervision and state change detection.
History Local CSV log of sessions (UID, IP, duration).
Garbage Collector Automatic cleanup of inactive or orphaned sessions.

Configuration Details

/etc/alemca/config.yaml
remote:
  enabled: true                     # Disable the plugin entirely if false
  server_id: "fr04"                 # Target datacenter on the platform (for internal routing)
  health_check: 600                 # Interval in seconds between two 'alive' messages
  max_session: 10                   # Maximum number of simultaneous tunnels
  key_path: "/etc/alemca/key.pem"   # ED25519 private key
  history_path: "/etc/alemca/history.csv"  # Local append-only session log

Section Breakdown

  • enabled – Fully turns the Remote plugin on or off.
  • server_id – Shortcut for the platform exit node; use it to group your sites logically (e.g. fr04, us-west). Currently only fr04 is supported.
  • health_check – Period (in seconds) for sending alive messages.
  • max_session – Hard cap on simultaneous tunnels. Once reached, the plugin waits for a tunnel to close before opening a new one.
  • key_path – Location of the private key used to sign and encrypt tunnels. The plugin generates the public key and uploads it to the platform.
  • history_path – Local CSV file logging: start timestamp, session ID, remote IP, duration, close code.

Session Life-Cycle

  1. Request – The console publishes a message on <topic>.session containing the session key.
  2. Establishment – The agent creates a tunnel.Tunnel, signs its public key, and replies on the dedicated queue.
  3. Transfer – Any stream (SSH, RDP, SOCKS, etc.) flows through the encrypted tunnel (ED25519 + curve25519).
  4. Closure – The console or the agent publishes a message on <topic>.close.
  5. Garbage Collector – After 30 min of inactivity or loss of ACK, the agent destroys the session.