• Stars
    star
    957
  • Rank 47,767 (Top 1.0 %)
  • Language
    Go
  • License
    MIT License
  • Created about 10 years ago
  • Updated 4 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

The missing reverse proxy for ssh scp

sshpiper ๐Ÿ–‡

Go Go Report Card Docker Image

sshpiper is the reverse proxy for sshd. all protocols, including ssh, scp, port forwarding, running on top of ssh are supported.

Note: this is v1 version, checkout legacy v0 here

Overview and Terminology

  • downstream: the client side, typically an ssh client.
  • upstream: the server side, typically an ssh server.
  • plugin: handles the routing from downstream to upstream. The plugin is also responsible for mapping authentication methods to the upstream server. For example, the downstream may use password authentication, but the upstream server may receive public key authentication mapped by sshpiper.
  • additional challenge: some plugins will not only perform routing but also add additional challenges to SSH authentication for the upstream server. For example, the downstream may be asked for two-factor authentication provided by the plugin.
+---------+                      +------------------+          +-----------------+
|         |                      |                  |          |                 |
|   Bob   +----ssh -l bob----+   |   sshpiper    +------------->   Bob' machine  |
|         |                  |   |               |  |          |                 |
+---------+                  |   |               |  |          +-----------------+
                             +---> pipe-by-name--+  |                             
+---------+                  |   |               |  |          +-----------------+
|         |                  |   |               |  |          |                 |
|  Alice  +----ssh -l alice--+   |               +------------->  Alice' machine |
|         |                      |                  |          |                 |
+---------+                      +------------------+          +-----------------+


 downstream                         sshpiper                        upstream                     

Quick start

Build

git clone https://github.com/tg123/sshpiper
cd sshpiper
git submodule update --init --recursive

mkdir out
go build -tags full -o out ./...

Run simple demo

start dummy sshd server

docker run -d -e USER_NAME=user -e USER_PASSWORD=pass -e PASSWORD_ACCESS=true -p 127.0.0.1:5522:2222 lscr.io/linuxserver/openssh-server

start sshpiperd with fixed plugin targetting the dummy sshd server

sudo ./out/sshpiperd ./out/fixed --target 127.0.0.1:5522

test ssh connection (password: pass)

ssh 127.0.0.1 -l user -p 2222

โž• math before login?

Here illustrates the example of addional challenge before the fixed plugin.

sudo ./out/sshpiperd --log-level=trace ./out/simplemath -- ./out/fixed --target 127.0.0.1:5522

Plugins

icons

  • ๐Ÿ”€: routing plugin
  • ๐Ÿ”’: addtional challenge plugin

Plugin list

  • workingdir ๐Ÿ”€: /home-like directory to managed upstreams routing by sshpiped.
  • workingdirbykey ๐Ÿ”€: same as workingdir but uses public key to route.
  • yaml ๐Ÿ”€: config routing with a single yaml file.
  • docker ๐Ÿ”€: pipe into docker containers.
  • kubernetes ๐Ÿ”€: manage pipes via Kubernetes CRD.
  • totp ๐Ÿ”’: TOTP 2FA plugin. compatible with all RFC6238 authenticator, for example: google authenticator, azure authenticator.
  • azdevicecode ๐Ÿ”’: ask user to enter azure device code before login
  • fixed ๐Ÿ”€: fixed targetting the dummy sshd server
  • simplemath ๐Ÿ”’: ask for very simple math question before login, demo purpose
  • githubapp ๐Ÿ”€: login ssh with your github account
  • restful by @11notes ๐Ÿ”€๐Ÿ”’: The rest plugin for sshpiperd is a simple plugin that allows you to use a restful backend for authentication and challenge.
  • failtoban ๐Ÿ”’: ban ip after failed login attempts

Screening recording

sshpiperd support recording the screen in typescript format (not the lang). The format is compatible with scriptreplay(1)

To use it, start sshpiperd with --typescript-log-dir loggingdir

Example:

```
ssh [email protected] -p 2222
... do some commands
exit


$ cd loggingdir/user_name
$ ls *.timing *.typescript
1472847798.timing 1472847798.typescript

$ scriptreplay -t 1472847798.timing 1472847798.typescript # will replay the ssh session
```

Public key authentication when using sshpiper (Private key remapping)

During SSH publickey auth, RFC 4252 Section 7, ssh client sign session_id and some other data using private key into a signature sig. This is for server to verify that the connection is from the client not the man in the middle.

However, sshpiper actually holds two ssh connection, and it is doing what the man in the middle does. the two ssh connections' session_id will never be the same, because they are hash of the shared secret. RFC 4253 Section 7.2.

To support publickey auth, sshpiper routing plugin must provide a new private key for the upstream to sign the session_id. This new private key is called mapping key.

How this work

+------------+        +------------------------+                       
|            |        |                        |                       
|   client   |        |   sshpiper             |                       
|   PK_X     +-------->      |                 |                       
|            |        |      v                 |                       
|            |        |   Check Permission     |                       
+------------+        |      |                 |                       
                      |      |                 |                       
                      |      |                 |     +----------------+
                      |      v                 |     |                |
                      |   sign agian           |     |   server       |
                      |   using PK_Y  +-------------->   check PK_Y   |
                      |                        |     |                |
                      |                        |     |                |
                      +------------------------+     +----------------+

Migrating from v0

What's the major change in v1

  • low level sshpiper api is fully redesigned to support more routing protocols.
  • plugins system totally redesigned to be more flexible and extensible.
    • plugins are now sperated from main process and no longer a single big binary, this allow user to write their own plugins without touching sshpiperd code.
  • grpc is first class now, the plugins are built on top of it

For plugins already in v1, you need change params to new params. However, not all plugins are migrated to v1 yet, they are being migrated gradually. you can still use the old plugins in v0 branch

Contributing

see CONTRIBUTING.md

License

MIT

More Repositories

1

leetcode

leetcode Solutions.java 250 / 269 (Algorithms)
Java
359
star
2

commandlinefu.cn

ไธญๆ–‡็‰ˆcommandlinefu
C#
271
star
3

chrome-hostadmin

HostAdmin for Firefox Chrome ...
C
213
star
4

websockify-nginx-module

Embed websockify into Nginx (convert any tcp connection into websocket)
C
141
star
5

myslot

The missing layout/keybinding/macro exportor for World of Warcraft
Lua
45
star
6

docker-sshd

ssh into any docker container/Kubernetes pod without sshd
Go
42
star
7

go-htpasswd

Apache htpasswd Parser for Go.
Go
37
star
8

IronLeveldb

A leveldb implementation in C#
C#
27
star
9

bottle-mysql

MySQL integration for Bottle.
Python
21
star
10

RaidLedger

A ledger for GDKP/gold run raid in World of Warcraft
Lua
16
star
11

Docker-AzureStorageEmulator

Docker Image of AzureStorageEmulator
Dockerfile
13
star
12

docker-wicket

Docker registry auth/index server for both v1 and v2
Go
10
star
13

BattleInfo

Enrich your battleground information
Lua
9
star
14

qrcode-wow

In game QRCode creator for World of Warcraft
Lua
6
star
15

fabric

Service Fabric Golang SDK (Unofficial)
Go
5
star
16

FabricPing

network tools for service fabric
Go
4
star
17

sshpiper-gh

ssh with your github identity
Go
4
star
18

ConsistentSharp

Consistent hash for dotnet core. port from go version https://github.com/stathat/consistent
C#
3
star
19

phabrik

Native Go Impl of Service Fabric Protocol
Go
3
star
20

Docker-AzCopy

Docker image for AzCopy
Dockerfile
2
star
21

sfrun

Run any .exe on Service Fabric like a hero
C#
2
star
22

pyinstaller.docker

Docker image for pyinstaller
2
star
23

welto

Lua
2
star
24

azbastion

go version of az network bastion tunnel
Go
1
star
25

hostadmin.js

library to parse and toggle entries in hosts file
CoffeeScript
1
star
26

docker-tocmd

create the `docker run` of a container!
Go
1
star
27

FabricEmu

Service Fabric Emulator, run your stateful service fabric app without service fabric cluster
Go
1
star
28

xtcprelay

tcp over any data link layer, even mail based floppy
Go
1
star
29

csv2xls_sae

covert csv to xls all cell will be set to text to prevent from big number data losing
Python
1
star
30

remotesigner

crypto.Signer backed by a remote service, grpc, rest or even more
Go
1
star
31

azkeyvault

Golang crypto.Signer and crypto.Decrypter backed by Azure KeyVault
Go
1
star
32

jobobject

Windows JobObject utils for kill all child processes when parent process exits
Go
1
star
33

sshpiper-openpubkey

sshpiper openpubkey plugin
Go
1
star
34

sshpiper-chart

helm chart for sshpiper
Smarty
1
star