Movatterモバイル変換


[0]ホーム

URL:


Skip to content

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Sign up

The missing reverse proxy for ssh scp

License

NotificationsYou must be signed in to change notification settings

tg123/sshpiper

Repository files navigation

E2EGo Report CardDocker Image

sshpiper is the reverse proxy for sshd. all protocols, including ssh, scp, port forwarding, running on top of ssh are supported.

Note: this isv1 version, checkout legacyv0here

Overview and Terminology

  • downstream: the client side, typically an ssh client.
  • upstream: the server side, typically an ssh server.
  • plugin: handles the routing fromdownstream toupstream. Theplugin is also responsible for mapping authentication methods to the upstream server. For example, the downstream may use password authentication, but the upstream server may receive public key authentication mapped bysshpiper.
  • additional challenge: someplugins will not only perform routing but also add additional challenges to SSH authentication for theupstream server. For example, thedownstream may be asked for two-factor authentication provided by theplugin.
+---------+                      +------------------+          +-----------------+|         |                      |                  |          |                 ||   Bob   +----ssh -l bob----+   |   sshpiper    +------------->   Bob' machine  ||         |                  |   |               |  |          |                 |+---------+                  |   |               |  |          +-----------------+                             +---> pipe-by-name--+  |                             +---------+                  |   |               |  |          +-----------------+|         |                  |   |               |  |          |                 ||  Alice  +----ssh -l alice--+   |               +------------->  Alice' machine ||         |                      |                  |          |                 |+---------+                      +------------------+          +-----------------+ downstream                         sshpiper                        upstream

Quick start

Build

git clone https://github.com/tg123/sshpipercd sshpipergit submodule update --init --recursivemkdir outgo build -tags full -o out ./...

Run simple demo

start dummy sshd server

docker run -d -e USER_NAME=user -e USER_PASSWORD=pass -e PASSWORD_ACCESS=true -p 127.0.0.1:5522:2222 lscr.io/linuxserver/openssh-server

startsshpiperd withfixed plugin targeting the dummy sshd server

./out/sshpiperd -i /tmp/sshpiperkey --server-key-generate-mode notexist --log-level=trace ./out/fixed --target 127.0.0.1:5522

test ssh connection (password:pass)

ssh 127.0.0.1 -l user -p 2222

➕ math before login?

Here illustrates the example ofaddional challenge before thefixed plugin.

./out/sshpiperd -i /tmp/sshpiperkey --server-key-generate-mode notexist --log-level=trace ./out/simplemath -- ./out/fixed --target 127.0.0.1:5522

Plugins

icons

  • 🔀: routing plugin
  • 🔒: addtional challenge plugin

Plugin list

  • workingdir 🔀:/home-like directory to managed upstreams routing by sshpiped.
  • yaml 🔀: config routing with a single yaml file.
  • docker 🔀: pipe into docker containers.
  • kubernetes 🔀: manage pipes via Kubernetes CRD.
  • azdevicecode 🔒: ask user to enterazure device code before login
  • fixed 🔀: fixed targeting the dummy sshd server
  • simplemath 🔒: ask for very simple math question before login, demo purpose
  • githubapp 🔀: login ssh with your github account
  • restful by@11notes 🔀🔒: The rest plugin for sshpiperd is a simple plugin that allows you to use a restful backend for authentication and challenge.
  • failtoban 🔒: ban ip after failed login attempts
  • openpubkey🔀🔒: integrate withopenpubkey

Screening recording

asciicast

recording the screen inasciicast formathttps://docs.asciinema.org/manual/asciicast/v2/

To use it, start sshpiperd with--screen-recording-format asciicast and--screen-recording-dir /path/to/recordingdir

Example:```ssh user_name@... do some commandsexitasciinema play /path/to/recordingdir/<conn_guid>/shell-channel-0.cast```

typescript

recording the screen intypescript format (not the lang). The format is compatible withscriptreplay(1)

To use it, start sshpiperd with--screen-recording-format typescript and--screen-recording-dir /path/to/recordingdir

Example:```ssh user_name@127.0.0.1 -p 2222... do some commandsexit$ cd /path/to/recordingdir/<conn_guid>$ ls *.timing *.typescript1472847798.timing 1472847798.typescript$ scriptreplay -t 1472847798.timing 1472847798.typescript # will replay the ssh session```

Public key authentication when using sshpiper (Private key remapping)

During SSH publickey auth,RFC 4252 Section 7,ssh client signsession_id and some other data using private key into a signaturesig.This is for server to verify that the connection is from the client notthe man in the middle.

However, sshpiper actually holds two ssh connection, and it is doing whatthe man in the middle does.the two ssh connections'session_id will never be the same, because they are hash of the shared secret.RFC 4253 Section 7.2.

To support publickey auth,sshpiper routing plugin must provide a new private key for theupstream to sign thesession_id. This new private key is calledmapping key.

How this work

+------------+        +------------------------+                       |            |        |                        |                       |   client   |        |   sshpiper             |                       |   PK_X     +-------->      |                 |                       |            |        |      v                 |                       |            |        |   Check Permission     |                       +------------+        |      |                 |                                             |      |                 |                                             |      |                 |     +----------------+                      |      v                 |     |                |                      |   sign again           |     |   server       |                      |   using PK_Y  +-------------->   check PK_Y   |                      |                        |     |                |                      |                        |     |                |                      +------------------------+     +----------------+

Ports to other platforms

Migrating fromv0

What's the major change inv1

  • low level sshpiper api is fully redesigned to support more routing protocols.
  • plugins system totally redesigned to be more flexible and extensible.
    • plugins are now sperated from main process and no longer a single big binary, this allow user to write their own plugins without touchingsshpiperd code.
  • grpc is first class now, the plugins are built on top of it

For plugins already inv1, you need change params to new params. However, not all plugins are migrated tov1 yet, they are being migrated gradually. you can still use the old plugins inv0 branch

Contributing

seeCONTRIBUTING.md

License

MIT


[8]ページ先頭

©2009-2025 Movatter.jp