• Stars
    star
    1,787
  • Rank 26,027 (Top 0.6 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created about 7 years ago
  • Updated about 1 month ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

🎩 simple, fun and transparent SSH (and telnet) bastion server

sshportal

CircleCI Go Report Card GoDoc Financial Contributors on Open Collective License GitHub release

Jump host/Jump server without the jump, a.k.a Transparent SSH bastion

Features include: independence of users and hosts, convenient user invite system, connecting to servers that don't support SSH keys, various levels of access, and many more. Easy to install, run and configure.

Flow Diagram


Contents


Installation and usage

Start the server

$ sshportal server
2017/11/13 10:58:35 Admin user created, use the user 'invite:BpLnfgDsc2WD8F2q' to associate a public key with this account
2017/11/13 10:58:35 SSH Server accepting connections on :2222

Link your SSH key with the admin account

$ ssh localhost -p 2222 -l invite:BpLnfgDsc2WD8F2q
Welcome admin!

Your key is now associated with the user "admin@sshportal".
Shared connection to localhost closed.
$

If the association fails and you are prompted for a password, verify that the host you're connecting from has a SSH key set up or generate one with ssh-keygen -t rsa

Drop an interactive administrator shell

ssh localhost -p 2222 -l admin


    __________ _____           __       __
   / __/ __/ // / _ \___  ____/ /____ _/ /
  _\ \_\ \/ _  / ___/ _ \/ __/ __/ _ '/ /
 /___/___/_//_/_/   \___/_/  \__/\_,_/_/


config>

Create your first host

config> host create [email protected]
1
config>

List hosts

config> host ls
  ID | NAME |           URL           |   KEY   | PASS | GROUPS  | COMMENT
+----+------+-------------------------+---------+------+---------+---------+
   1 | foo  | [email protected]:22 | default |      | default |
Total: 1 hosts.
config>

Add the key to the server

$ ssh [email protected] "$(ssh localhost -p 2222 -l admin key setup default)"
$

Profit

ssh localhost -p 2222 -l foo
bart@foo>

Invite friends

This command doesn't create a user on the remote server, it only creates an account in the sshportal database.

config> user invite [email protected]
User 2 created.
To associate this account with a key, use the following SSH user: 'invite:NfHK5a84jjJkwzDk'.
config>

Demo gif: sshportal demo


Use cases

Used by educators to provide temporary access to students. Feedback from a teacher. The author is using it in one of his projects, pathwar, to dynamically configure hosts and users, so that he can give temporary accesses for educational purposes.

vptech, the vente-privee.com technical team (a group of over 6000 people) is using it internally to manage access to servers/routers, saving hours on configuration management and not having to share the configuration information.

There are companies who use a jump host to monitor connections at a single point.

A hosting company is using SSHportal for its “logging” feature, among others. As every session is logged and introspectable, they have a detailed history of who performed which action. This company made its own contribution to the project, allowing the support of more than 65.000 sessions in the database.

The project has also received multiple contributions from a security researcher that made a thesis on quantum cryptography. This person uses SSHportal in their security-hardened hosting company.

If you need to invite multiple people to an event (hackathon, course, etc), the day before the event you can create multiple accounts at once, print the invite, and distribute the paper.


Features and limitations

  • Single autonomous binary (~10-20Mb) with no runtime dependencies (embeds ssh server and client)
  • Portable / Cross-platform (regularly tested on linux and OSX/darwin)
  • Store data in Sqlite3 or MySQL (probably easy to add postgres, mssql thanks to gorm)
  • Stateless -> horizontally scalable when using MySQL as the backend
  • Connect to remote host using key or password
  • Admin commands can be run directly or in an interactive shell
  • Host management
  • User management (invite, group, stats)
  • Host Key management (create, remove, update, import)
  • Automatic remote host key learning
  • User Key management (multiple keys per user)
  • ACL management (acl+user-groups+host-groups)
  • User roles (admin, trusted, standard, ...)
  • User invitations (no more "give me your public ssh key please")
  • Easy server installation (generate shell command to setup authorized_keys)
  • Sensitive data encryption
  • Session management (see active connections, history, stats, stop)
  • Audit log (logging every user action)
  • Record TTY Session (with ttyrec format, use ttyplay for replay)
  • Tunnels logging
  • Host Keys verifications shared across users
  • Healthcheck user (replying OK to any user)
  • SSH compatibility
    • ipv4 and ipv6 support
    • scp support
    • rsync support
    • tunneling (local forward, remote forward, dynamic forward) support
    • sftp support
    • ssh-agent support
    • X11 forwarding support
    • Git support (can be used to easily use multiple user keys on GitHub, or access your own firewalled gitlab server)
    • Do not require any SSH client modification or custom .ssh/config, works with every tested SSH programming libraries and every tested SSH clients
  • SSH to non-SSH proxy

(Known) limitations

  • Does not work (yet?) with mosh
  • It is not possible for a user to access a host with the same name as the user. This is easily circumvented by changing the user name, especially since the most common use cases does not expose it.
  • It is not possible to access a host named healthcheck as this is a built-in command.

Docker

Docker is the recommended way to run sshportal.

An automated build is setup on the Docker Hub.

# Start a server in background
#   mount `pwd` to persist the sqlite database file
docker run -p 2222:2222 -d --name=sshportal -v "$(pwd):$(pwd)" -w "$(pwd)" moul/sshportal:v1.10.0

# check logs (mandatory on first run to get the administrator invite token)
docker logs -f sshportal

The easier way to upgrade sshportal is to do the following:

# we consider you were using an old version and you want to use the new version v1.10.0

# stop and rename the last working container + backup the database
docker stop sshportal
docker rename sshportal sshportal_old
cp sshportal.db sshportal.db.bkp

# run the new version
docker run -p 2222:2222 -d --name=sshportal -v "$(pwd):$(pwd)" -w "$(pwd)" moul/sshportal:v1.10.0
# check the logs for migration or cross-version incompatibility errors
docker logs -f sshportal

Now you can test ssh-ing to sshportal to check if everything looks OK.

In case of problem, you can rollback to the latest working version with the latest working backup, using:

docker stop sshportal
docker rm sshportal
cp sshportal.db.bkp sshportal.db
docker rename sshportal_old sshportal
docker start sshportal
docker logs -f sshportal

Manual Install

Get the latest version using GO.

GO111MODULE=on go get -u moul.io/sshportal

Backup / Restore

sshportal embeds built-in backup/restore methods which basically import/export JSON objects:

# Backup
ssh portal config backup  > sshportal.bkp

# Restore
ssh portal config restore < sshportal.bkp

This method is particularly useful as it should be resistant against future DB schema changes (expected during development phase).

I suggest you to be careful during this development phase, and use an additional backup method, for example:

# sqlite dump
sqlite3 sshportal.db .dump > sshportal.sql.bkp

# or just the immortal cp
cp sshportal.db sshportal.db.bkp

built-in shell

sshportal embeds a configuration CLI.

By default, the configuration user is admin, (can be changed using --config-user=<value> when starting the server. The shell is also accessible through ssh [username]@portal.example.org.

Each command can be run directly by using this syntax: ssh [email protected] <command> [args]:

ssh [email protected] host inspect toto

You can enter in interactive mode using this syntax: ssh [email protected]

sshportal overview


Demo data

The following servers are freely available, without external registration, it makes it easier to quickly test sshportal without configuring your own servers to accept sshportal connections.

ssh portal host create [email protected]
ssh sdf@portal

ssh portal host create [email protected]
ssh whoami@portal

ssh portal host create [email protected]
ssh chat@portal

Shell commands

# acl management
acl help
acl create [-h] [--hostgroup=HOSTGROUP...] [--usergroup=USERGROUP...] [--pattern=<value>] [--comment=<value>] [--action=<value>] [--weight=value]
acl inspect [-h] ACL...
acl ls [-h] [--latest] [--quiet]
acl rm [-h] ACL...
acl update [-h] [--comment=<value>] [--action=<value>] [--weight=<value>] [--assign-hostgroup=HOSTGROUP...] [--unassign-hostgroup=HOSTGROUP...] [--assign-usergroup=USERGROUP...] [--unassign-usergroup=USERGROUP...] ACL...

# config management
config help
config backup [-h] [--indent] [--decrypt]
config restore [-h] [--confirm] [--decrypt]

# event management
event help
event ls [-h] [--latest] [--quiet]
event inspect [-h] EVENT...

# host management
host help
host create [-h] [--name=<value>] [--password=<value>] [--comment=<value>] [--key=KEY] [--group=HOSTGROUP...] [--hop=HOST] [--logging=MODE] <username>[:<password>]@<host>[:<port>]
host inspect [-h] [--decrypt] HOST...
host ls [-h] [--latest] [--quiet]
host rm [-h] HOST...
host update [-h] [--name=<value>] [--comment=<value>] [--key=KEY] [--assign-group=HOSTGROUP...] [--unassign-group=HOSTGROUP...] [--logging-MODE] [--set-hop=HOST] [--unset-hop] HOST...

# hostgroup management
hostgroup help
hostgroup create [-h] [--name=<value>] [--comment=<value>]
hostgroup inspect [-h] HOSTGROUP...
hostgroup ls [-h] [--latest] [--quiet]
hostgroup rm [-h] HOSTGROUP...

# key management
key help
key create [-h] [--name=<value>] [--type=<value>] [--length=<value>] [--comment=<value>]
key import [-h] [--name=<value>] [--comment=<value>]
key inspect [-h] [--decrypt] KEY...
key ls [-h] [--latest] [--quiet]
key rm [-h] KEY...
key setup [-h] KEY
key show [-h] KEY

# session management
session help
session ls [-h] [--latest] [--quiet]
session inspect [-h] SESSION...

# user management
user help
user invite [-h] [--name=<value>] [--comment=<value>] [--group=USERGROUP...] <email>
user inspect [-h] USER...
user ls [-h] [--latest] [--quiet]
user rm [-h] USER...
user update [-h] [--name=<value>] [--email=<value>] [--set-admin] [--unset-admin] [--assign-group=USERGROUP...] [--unassign-group=USERGROUP...] USER...

# usergroup management
usergroup help
usergroup create [-h] [--name=<value>] [--comment=<value>]
usergroup inspect [-h] USERGROUP...
usergroup ls [-h] [--latest] [--quiet]
usergroup rm [-h] USERGROUP...

# other
exit [-h]
help, h
info [-h]
version [-h]

Healthcheck

By default, sshportal will return OK to anyone sshing using the healthcheck user without checking for authentication.

$ ssh healthcheck@sshportal
OK
$

the healtcheck user can be changed using the healthcheck-user option.


Alternatively, you can run the built-in healthcheck helper (requiring no ssh client nor ssh key):

Usage: `sshportal healthcheck [--addr=host:port] [--wait] [--quiet]

$ sshportal healthcheck --addr=localhost:2222; echo $?
$ 0

Wait for sshportal to be healthy, then connect

$ sshportal healthcheck --wait && ssh sshportal -l admin
config>

portal alias (.ssh/config)

Edit your ~/.ssh/config file (create it first if needed)

Host portal
  User      admin
  Port      2222       # portal port
  HostName  127.0.0.1  # portal hostname
# you can now run a shell using this:
ssh portal
# instead of this:
ssh localhost -p 2222 -l admin

# or connect to hosts using this:
ssh hostname@portal
# instead of this:
ssh localhost -p 2222 -l hostname

Scaling

sshportal is stateless but relies on a database to store configuration and logs.

By default, sshportal uses a local sqlite database which isn't scalable by design.

You can run multiple instances of sshportal sharing the same MySQL database, using sshportal --db-conn=user:pass@host/dbname?parseTime=true --db-driver=mysql.

sshportal cluster with MySQL backend

See examples/mysql.


Under the hood

sshportal data model


Testing

Install golangci-lint and run this in project root:

golangci-lint run

Perform integration tests

make integration

Perform unit tests

make unittest

Contributors

Code Contributors

This project exists thanks to all the people who contribute. [Contribute].

Financial Contributors

Become a financial contributor and help us sustain our community. [Contribute]

Individuals

Organizations

Support this project with your organization. Your logo will show up here with a link to your website. [Contribute]

Stargazers over time

Stargazers over time

More Repositories

1

assh

💻 make your ssh client smarter
Go
2,868
star
2

awesome-ssh

💻 A curated list of SSH resources.
2,245
star
3

quicssh

SSH over QUIC
Go
796
star
4

http2curl

📐 Convert Golang's http.Request to CURL command line
Makefile
704
star
5

node-gitlab

DEPRECATED, see https://github.com/node-gitlab/node-gitlab
JavaScript
474
star
6

protoc-gen-gotemplate

📂 generic protocol generator based on golang's text/template (grpc/protobuf)
Go
438
star
7

gotty-client

🔧 terminal client for GoTTY
Go
296
star
8

golang-repo-template

🌀 A template for creating new Golang + Docker + Canonical Domain + Badges + Dependabot + Renovate + GolangCI-lint + Goreleaser + GitHub Actions + Gitpod + Depaware + Git Hooks + ...
Go
274
star
9

zapgorm2

⚡ zap logging driver for gorm v2
Go
246
star
10

alfred-workflow-gauth

🔑 TOTP - Google Authenticator Workflow for Alfred2 (Two-Factor authentication)
Python
239
star
11

ssh2docker

🐳 standalone SSH server that connects you to your Docker containers
Go
183
star
12

docker-diff

🐳 Compare Docker images
Shell
154
star
13

depviz

👓 dependency visualizer for GitHub & GitLab (a.k.a., "auto-roadmap")
Go
143
star
14

grpcbin

httpbin like for gRPC
Go
128
star
15

travis-docker

🐳👨 Docker in Travis-CI
Shell
108
star
16

docker-icecast

📻 Icecast 2 in Dockerfile (Docker container, compatible with liquidsoap)
XSLT
103
star
17

iocat

🔧 Socket.io & WebSocket netcat-like utility
CoffeeScript
83
star
18

number-to-words

convert number into words (english, french, italian, roman, spanish, portuguese, belgium, dutch, swedish, polish, russian, iranian, roman, aegean)
Go
73
star
19

awesome-ascii-art

A curated list of ascii-art resources
49
star
20

docker-kernel-builder

🐧 Kernel build environment in Docker
48
star
21

docker-readthedocs

🐳 ReadTheDocs (RTD, read the docs) in docker
Shell
43
star
22

kafka-gateway

🌊 Kafka Gateway (gRPC/protobuf + http/json)
Go
40
star
23

zapgorm

⚡ Zap logger for GORM (support v1 and v2)
Go
38
star
24

retry

🐚 retry shell commands
Makefile
26
star
25

dockerpatch

🐳 Read, write, manipulate, convert & apply filters to Dockerfiles
Go
24
star
26

chizap

⚡️ simple zap logging middleware for go-chi
Go
22
star
27

radioman

🎵 Web radio solution using Liquidsoap and Icecast
Go
21
star
28

dockerself

🐳 runtime self dockerizer
Go
21
star
29

anonuuid

🔧 Anonymize UUIDs outputs (written in Golang)
Go
20
star
30

node-scaleway

🔧 Online Labs API client in Node.js and browser javascript
JavaScript
19
star
31

pb

C#
18
star
32

scaleway-ipxe

💃 custom IPXE config on Scaleway servers
17
star
33

zapfilter

⚡💊 advanced filtering for uber's zap logger
Go
15
star
34

gno-basics

Gnolang smart contract examples
Go
15
star
35

sapin

🎄 draw a beautiful christmas tree in ascii using Golang
Go
14
star
36

totp-keychain

🔒 TOTP cli backed by the OS X keychain
Go
14
star
37

cleanarch

🚿 the clean architecture, optimised for Golang
Go
14
star
38

grpcbin-example

Go
14
star
39

xbmc-remote-keyboard

📹 Send local keyboard presses to a remote XBMC/Kodi through JSON RPC api (javascript, coffee, ncurses)
CoffeeScript
14
star
40

captcha

🦾 a "Completely Automated Public Turing test to tell Computers and Humans Apart" CLI
Go
13
star
41

golang-boilerplate

🔧 Golang project bootstrap
Makefile
13
star
42

scaleway-cli-node

💻 Interract with Scaleway from command line (Mimics Docker CLI)
JavaScript
12
star
43

acl

👮 ACL micro-service (gRPC/protobuf + http/json)
Go
12
star
44

progress

🏗 progress, steps, completion patterns for golang
Go
12
star
45

node-icecast-admin

📻 Icecast admin nodejs library - used for statistics
JavaScript
12
star
46

stegaporn

8========D The art of hiding sensitive data in porn videos
Shell
11
star
47

docker-liquidsoap

📻 Liquidsoap in Docker - compatible with icecast
Dockerfile
11
star
48

pipotron

generic (& funny?) text generator
Go
11
star
49

bot

🤖 my personal bot / virtual assistant (GitHub, Discord, HTTP+gRPC API, Twitter, Coffee, etc)
Go
11
star
50

translator

🎤 Translator micro-service
Go
10
star
51

image-builder

⚠️ ARCHIVED ⚠️
10
star
52

node-leboncoin

🔧 leboncoin.fr nodejs library
CoffeeScript
10
star
53

node-netsoul

Netsoul client - Epitech, Epita, Ionis
JavaScript
9
star
54

internet-status

📶 Check internet connectivity
Go
9
star
55

totp-cli

🔒 TOTP CLI
Go
8
star
56

docker-coreos-img

🐳 CoreOS image in a docker image
Makefile
8
star
57

generate-fake-data

🧬 CLI to generate fake data for testing
Go
8
star
58

euler

🎲 Project Euler in Golang
Go
8
star
59

shikaku

🀄 Shikaku generator
Go
8
star
60

git-ci

♐ git subcommand to interract with CI/CD from command line
Go
8
star
61

docker-binfmt-register

🐳 Register Binfmt-support in Docker, works with boot2docker to run armhf images
8
star
62

nixpkgs

🧔 personal nix config #nixos
Nix
8
star
63

graphman

graph manipulation library in golang (pert, cpm, dijkstra, ...)
Go
8
star
64

3d-stereo-html5

3d anaglyph / stereoscopic html5 canvas viewer
8
star
65

libmusic

Manipulate Music in Golang
Go
8
star
66

converter

✂️ multiformat data conversion
Go
7
star
67

mbin

:neckbeard: plenty of more-or-less useful scripts I use(d)
Python
7
star
68

irccloud-desktop-app

💻 IRC Cloud Desktop Application (irccloud.com)
CSS
7
star
69

cryptoguess

Automatically detect and parse cryptography keys
Go
7
star
70

ascii2svg

Go
7
star
71

conf-du-loose

💀🔫 Hacked
Shell
7
star
72

as-a-service

👨 Me, as a service
Go
7
star
73

pkgman

📱 Package manipulation tool & library (ipa, etc)
Go
7
star
74

drunken-bishop

Drunken Bishop algorithm for Ascii-Art representation of Fingerprint
Makefile
7
star
75

image-tools-v1

⚠️ Archives ⚠️ Image Tools - Scripts to build images on Online Labs
7
star
76

hacker-typing

☠️🏴‍☠️🦜 impress your friends :)
Makefile
7
star
77

port-docker-image

🐳 Script to port Docker image on armhf architecture
Shell
7
star
78

u

🔬 Go common utility functions
Go
7
star
79

ansicat

display ANSI files in terminal
Go
6
star
80

godev

A collection of helpers I use during Golang development
Makefile
6
star
81

amiga-ball

AMIGA!!!
HTML
6
star
82

go-dl-extract

🐳 "curl | tar xf" as a static binary - ADD compressed tarball url on Docker scratch
Go
6
star
83

docker-drupal

🐳 run Drupal in Docker
Shell
6
star
84

runcache

🔧 shell command caching
Shell
6
star
85

node-slumber

🔧 Port of Python's slumber library -- (RESTful API library)
CoffeeScript
6
star
86

tapas-icecast-analytics

Icecast Web Analytics using Tapas (nodejs)
CoffeeScript
6
star
87

testman

😎 `go test` wrapper for advanced testing workflows in Go
Go
6
star
88

banner

lightweight Golang ascii-art text generator
Go
6
star
89

awesome

awesome
Go
6
star
90

node-alfred-workflow

👨 Create Alfred Workflow with NodeJS (wrapper)
Python
6
star
91

alfred-workflow-chromecast

👨 Chromecast Workflow for Alfred2
Python
6
star
92

docker-plan9port

🐳 plan9port in Docker
Dockerfile
6
star
93

prefix

🔴 prepend numbers, stats, dates, durations to streams
Go
6
star
94

term.js-cli

🔧 A command line interface client for term.js / tty.js
CoffeeScript
6
star
95

funcenter

function-level middlewares in golang
Go
6
star
96

image-service-travis

💽 WIP Official Travis-CI worker image on Online Labs
Makefile
6
star
97

zapring

💍 In-memory RING buffer backend for the Zap logger
Go
6
star
98

guilhunize

Speak like Guilhem
Makefile
6
star
99

zapconfig

⚡ Opinionated presets for Uber's Zap logging go library
Go
5
star
100

wiki

✌️ life wiki
5
star