tg123/sshpiperPublic

NotificationsYou must be signed in to change notification settings
Fork141
Star1k

The missing reverse proxy for ssh scp

License

MIT license

1k stars 141 forks Branches Tags Activity

Star

Notifications

You must be signed in to change notification settings

Branches Tags

Folders and files

Name		Name	Last commit message	Last commit date
Latest commit History 688 Commits
.github		.github
cmd/sshpiperd		cmd/sshpiperd
crypto @ 44c1e2e		crypto @ 44c1e2e
e2e		e2e
libplugin		libplugin
plugin		plugin
.devcontainer.json		.devcontainer.json
.gitignore		.gitignore
.gitmodules		.gitmodules
.goreleaser.yaml		.goreleaser.yaml
CONTRIBUTING.md		CONTRIBUTING.md
Dockerfile		Dockerfile
LICENSE		LICENSE
README.md		README.md
entrypoint.sh		entrypoint.sh
go.mod		go.mod
go.sum		go.sum

Repository files navigation

sshpiper 🖇

sshpiper is the reverse proxy for sshd. all protocols, including ssh, scp, port forwarding, running on top of ssh are supported.

Note: this isv1 version, checkout legacyv0here

Overview and Terminology

downstream: the client side, typically an ssh client.
upstream: the server side, typically an ssh server.
plugin: handles the routing fromdownstream toupstream. Theplugin is also responsible for mapping authentication methods to the upstream server. For example, the downstream may use password authentication, but the upstream server may receive public key authentication mapped bysshpiper.
additional challenge: someplugins will not only perform routing but also add additional challenges to SSH authentication for theupstream server. For example, thedownstream may be asked for two-factor authentication provided by theplugin.

+---------+                      +------------------+          +-----------------+|         |                      |                  |          |                 ||   Bob   +----ssh -l bob----+   |   sshpiper    +------------->   Bob' machine  ||         |                  |   |               |  |          |                 |+---------+                  |   |               |  |          +-----------------+                             +---> pipe-by-name--+  |                             +---------+                  |   |               |  |          +-----------------+|         |                  |   |               |  |          |                 ||  Alice  +----ssh -l alice--+   |               +------------->  Alice' machine ||         |                      |                  |          |                 |+---------+                      +------------------+          +-----------------+ downstream                         sshpiper                        upstream

Quick start

Build

git clone https://github.com/tg123/sshpipercd sshpipergit submodule update --init --recursivemkdir outgo build -tags full -o out ./...

Run simple demo

start dummy sshd server

docker run -d -e USER_NAME=user -e USER_PASSWORD=pass -e PASSWORD_ACCESS=true -p 127.0.0.1:5522:2222 lscr.io/linuxserver/openssh-server

start`sshpiperd` with`fixed` plugin targeting the dummy sshd server

./out/sshpiperd -i /tmp/sshpiperkey --server-key-generate-mode notexist --log-level=trace ./out/fixed --target 127.0.0.1:5522

test ssh connection (password:`pass`)

ssh 127.0.0.1 -l user -p 2222

➕ math before login?

Here illustrates the example ofaddional challenge before thefixed plugin.

./out/sshpiperd -i /tmp/sshpiperkey --server-key-generate-mode notexist --log-level=trace ./out/simplemath -- ./out/fixed --target 127.0.0.1:5522

Plugins

icons

🔀: routing plugin
🔒: addtional challenge plugin

Plugin list

workingdir 🔀:/home-like directory to managed upstreams routing by sshpiped.
yaml 🔀: config routing with a single yaml file.
docker 🔀: pipe into docker containers.
kubernetes 🔀: manage pipes via Kubernetes CRD.
azdevicecode 🔒: ask user to enterazure device code before login
fixed 🔀: fixed targeting the dummy sshd server
simplemath 🔒: ask for very simple math question before login, demo purpose
githubapp 🔀: login ssh with your github account
restful by@11notes 🔀🔒: The rest plugin for sshpiperd is a simple plugin that allows you to use a restful backend for authentication and challenge.
failtoban 🔒: ban ip after failed login attempts
openpubkey🔀🔒: integrate withopenpubkey

Screening recording

asciicast

recording the screen inasciicast formathttps://docs.asciinema.org/manual/asciicast/v2/

To use it, start sshpiperd with--screen-recording-format asciicast and--screen-recording-dir /path/to/recordingdir

Example:```ssh user_name@... do some commandsexitasciinema play /path/to/recordingdir/<conn_guid>/shell-channel-0.cast```

typescript

recording the screen intypescript format (not the lang). The format is compatible withscriptreplay(1)

To use it, start sshpiperd with--screen-recording-format typescript and--screen-recording-dir /path/to/recordingdir

Example:```ssh user_name@127.0.0.1 -p 2222... do some commandsexit$ cd /path/to/recordingdir/<conn_guid>$ ls *.timing *.typescript1472847798.timing 1472847798.typescript$ scriptreplay -t 1472847798.timing 1472847798.typescript # will replay the ssh session```

Public key authentication when using sshpiper (Private key remapping)

During SSH publickey auth,RFC 4252 Section 7,ssh client signsession_id and some other data using private key into a signaturesig.This is for server to verify that the connection is from the client notthe man in the middle.

However, sshpiper actually holds two ssh connection, and it is doing whatthe man in the middle does.the two ssh connections'session_id will never be the same, because they are hash of the shared secret.RFC 4253 Section 7.2.

To support publickey auth,sshpiper routing plugin must provide a new private key for theupstream to sign thesession_id. This new private key is calledmapping key.

How this work

+------------+        +------------------------+                       |            |        |                        |                       |   client   |        |   sshpiper             |                       |   PK_X     +-------->      |                 |                       |            |        |      v                 |                       |            |        |   Check Permission     |                       +------------+        |      |                 |                                             |      |                 |                                             |      |                 |     +----------------+                      |      v                 |     |                |                      |   sign again           |     |   server       |                      |   using PK_Y  +-------------->   check PK_Y   |                      |                        |     |                |                      |                        |     |                |                      +------------------------+     +----------------+

Ports to other platforms

sshpiper on OpenWrt by@ihidchaos

Migrating from`v0`

What's the major change in`v1`

low level sshpiper api is fully redesigned to support more routing protocols.
plugins system totally redesigned to be more flexible and extensible.
- plugins are now sperated from main process and no longer a single big binary, this allow user to write their own plugins without touchingsshpiperd code.
grpc is first class now, the plugins are built on top of it

For plugins already inv1, you need change params to new params. However, not all plugins are migrated tov1 yet, they are being migrated gradually. you can still use the old plugins inv0 branch