Restrict tunnel subdomains to author SSH fingerprint

[grabbou]

Hey!

Thanks for making Sish, it's been working really great for our Open Source project. For context, we're using it to set up tunnel session from your local development machine, so you can distribute the URL to your friends to preview your work.

We are using stable subdomains (e.g. xxx.proxy.com) and right now, anyone knowing the xxx can set it, if correct flags are specified.

I wanted to keep things as stateless. After investigating the source code, I think the best mechanism to utilise is providing custom HTTP service to validate public keys.

Unfortunately, there's no "subdomain" in the body, just the public key, remote address and the user. If there was subdomain and port user is trying to set up tunnel, that would do it!

[grabbou]

This issue can be closed, but FYI, I ended up modifying source code to provide an option to automatically generate URL as a hash of subdomain and fingerprint.

[antoniomika]

Hey there @grabbou,

Sorry for the delay, I was traveling for the past few weeks!

The current way of limiting domain access is through DNS, so your method works best for "deterministic urls". Happy to accept contributions on adding that ability though!

Hope that helps!