- Notifications
You must be signed in to change notification settings - Fork141
The missing reverse proxy for ssh scp
License
tg123/sshpiper
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
sshpiper
is the reverse proxy for sshd. all protocols, including ssh, scp, port forwarding, running on top of ssh are supported.
Note: this isv1
version, checkout legacyv0
here
downstream
: the client side, typically an ssh client.upstream
: the server side, typically an ssh server.plugin
: handles the routing fromdownstream
toupstream
. Theplugin
is also responsible for mapping authentication methods to the upstream server. For example, the downstream may use password authentication, but the upstream server may receive public key authentication mapped bysshpiper
.additional challenge
: someplugins
will not only perform routing but also add additional challenges to SSH authentication for theupstream
server. For example, thedownstream
may be asked for two-factor authentication provided by theplugin
.
+---------+ +------------------+ +-----------------+| | | | | || Bob +----ssh -l bob----+ | sshpiper +-------------> Bob' machine || | | | | | | |+---------+ | | | | +-----------------+ +---> pipe-by-name--+ | +---------+ | | | | +-----------------+| | | | | | | || Alice +----ssh -l alice--+ | +-------------> Alice' machine || | | | | |+---------+ +------------------+ +-----------------+ downstream sshpiper upstream
git clone https://github.com/tg123/sshpipercd sshpipergit submodule update --init --recursivemkdir outgo build -tags full -o out ./...
docker run -d -e USER_NAME=user -e USER_PASSWORD=pass -e PASSWORD_ACCESS=true -p 127.0.0.1:5522:2222 lscr.io/linuxserver/openssh-server
./out/sshpiperd -i /tmp/sshpiperkey --server-key-generate-mode notexist --log-level=trace ./out/fixed --target 127.0.0.1:5522
ssh 127.0.0.1 -l user -p 2222
Here illustrates the example ofaddional challenge
before thefixed
plugin.
./out/sshpiperd -i /tmp/sshpiperkey --server-key-generate-mode notexist --log-level=trace ./out/simplemath -- ./out/fixed --target 127.0.0.1:5522
- 🔀: routing plugin
- 🔒: addtional challenge plugin
Plugin list
- workingdir 🔀:
/home
-like directory to managed upstreams routing by sshpiped. - yaml 🔀: config routing with a single yaml file.
- docker 🔀: pipe into docker containers.
- kubernetes 🔀: manage pipes via Kubernetes CRD.
- azdevicecode 🔒: ask user to enterazure device code before login
- fixed 🔀: fixed targeting the dummy sshd server
- simplemath 🔒: ask for very simple math question before login, demo purpose
- githubapp 🔀: login ssh with your github account
- restful by@11notes 🔀🔒: The rest plugin for sshpiperd is a simple plugin that allows you to use a restful backend for authentication and challenge.
- failtoban 🔒: ban ip after failed login attempts
- openpubkey🔀🔒: integrate withopenpubkey
recording the screen inasciicast
formathttps://docs.asciinema.org/manual/asciicast/v2/
To use it, start sshpiperd with--screen-recording-format asciicast
and--screen-recording-dir /path/to/recordingdir
Example:```ssh user_name@... do some commandsexitasciinema play /path/to/recordingdir/<conn_guid>/shell-channel-0.cast```
recording the screen intypescript
format (not the lang). The format is compatible withscriptreplay(1)
To use it, start sshpiperd with--screen-recording-format typescript
and--screen-recording-dir /path/to/recordingdir
Example:```ssh user_name@127.0.0.1 -p 2222... do some commandsexit$ cd /path/to/recordingdir/<conn_guid>$ ls *.timing *.typescript1472847798.timing 1472847798.typescript$ scriptreplay -t 1472847798.timing 1472847798.typescript # will replay the ssh session```
During SSH publickey auth,RFC 4252 Section 7,ssh client signsession_id
and some other data using private key into a signaturesig
.This is for server to verify that the connection is from the client notthe man in the middle
.
However, sshpiper actually holds two ssh connection, and it is doing whatthe man in the middle
does.the two ssh connections'session_id
will never be the same, because they are hash of the shared secret.RFC 4253 Section 7.2.
To support publickey auth,sshpiper
routing plugin must provide a new private key for theupstream
to sign thesession_id
. This new private key is calledmapping key
.
How this work
+------------+ +------------------------+ | | | | | client | | sshpiper | | PK_X +--------> | | | | | v | | | | Check Permission | +------------+ | | | | | | | | | +----------------+ | v | | | | sign again | | server | | using PK_Y +--------------> check PK_Y | | | | | | | | | +------------------------+ +----------------+
- low level sshpiper api is fully redesigned to support more routing protocols.
- plugins system totally redesigned to be more flexible and extensible.
- plugins are now sperated from main process and no longer a single big binary, this allow user to write their own plugins without touching
sshpiperd
code.
- plugins are now sperated from main process and no longer a single big binary, this allow user to write their own plugins without touching
grpc
is first class now, the plugins are built on top of it
For plugins already inv1
, you need change params to new params. However, not all plugins are migrated tov1
yet, they are being migrated gradually. you can still use the old plugins inv0
branch
MIT
About
The missing reverse proxy for ssh scp