New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: implement direct ssh #332
Conversation
…value for a given key in a Map m is non-null and of a specific Type
refactor: re-ordered method parameters for consistency feat: added (empty) `startDirectSsh` method
…refactoring. - Function renames / moves - Instance variables renames / removals - The `cleanupAfterReverseSsh` function now takes an SSHNP object as its parameter, so it can check whether the initialization had completed and whether a reverse ssh was actually used. This was necessary since that function is called from many different places - Added `legacy-daemon` flag - For the interim, `legacy-daemon` defaults to true, so that the existing test pack can run unchanged.
…refactoring. - Function renames / moves - Instance variables renames / removals - The `cleanupAfterReverseSsh` function now takes an SSHNP object as its parameter, so it can check whether the initialization had completed and whether a reverse ssh was actually used. This was necessary since that function is called from many different places - Added `legacy-daemon` flag - For the interim, `legacy-daemon` defaults to true, so that the existing test pack can run unchanged.
…refactoring. - Function renames / moves - Instance variables renames / removals - The `cleanupAfterReverseSsh` function now takes an SSHNP object as its parameter, so it can check whether the initialization had completed and whether a reverse ssh was actually used. This was necessary since that function is called from many different places - Added `legacy-daemon` flag - For the interim, `legacy-daemon` defaults to true, so that the existing test pack can run unchanged.
@cconstab All working. Ready for initial review. I've not yet decided on the best way to decide on what flavour of notification to send to the daemon. Maybe better would be an option like
Currently there is a flag called |
The bug... At present we create a ssh key pair and use that to auth to get to the sshd on localhost/22. The sshnp aim should just to be to get to the localhist/22 and auth with the new key but not to get a shell. Via the sleep command in .ssh/authorized_hosts that only alllows the forwarding of port 22. Then a ssh clint can auth in the normal manner. Why do this ? Because many people already have ssh auth / key rotation in place and we do not want to break that we just want to get tp the daemon.. You may have done just this already not been able to look at the code as yet. Very exciting ! |
Ephemeral keys are required for the server to ssh to the client. There is no need for an ephemeral keypair for the client to ssh to the server - user just specifies the identity file they want to use |
@cconstab and I have chatted and believe best is to make this v4.0.0 with "--legacy-daemon" defaulting to false, and with release notes that say “client is fully backwards compatible with previous versions’ daemons if you supply the —legacy-daemon flag” and “v4 daemons are fully compatible with previous versions’ clients” I will adjust the e2e tests accordingly, and also add tests of direct ssh where appropriate (local-local only, to start with) |
- Added utility functions which are used by sshnp to sign and for sshnpd to verify request notification payloads - Having sshnpd sign and sshnp verify the response notification payloads will be straightforward next step
style: renamed a variable
# Conflicts: # packages/sshnoports/lib/version.dart
- What I did
sshd
running by enabling clients to request that the daemon set things up for a direct sshNOTE 1 There is one bug I know about right now. If you are doing a direct ssh then you MUST provide
-s <xxx.pub>
argument to the sshnp program. If you do not then the initial background ssh (to set up the local port forwarding) will fail. I will add some defensive code laterNOTE 2 Added signing and verification of sshnp-to-sshnpd request notification payloads. TODO: Add signing and verification of sshnpd-to-sshnp response notification payloads
- How I did it
Easiest to see by looking at the individual commits, which show the progress step by step
- How to verify it