HTTP(S)/WS(S)/TCP Tunnels to localhost using only SSH.

Overview

sish

An open source serveo/ngrok alternative.

Deploy

Builds are made automatically for each commit to the repo and are pushed to Dockerhub. Builds are tagged using a commit sha, branch name, tag, latest if released on main. You can find a list here. Each release builds separate sish binaries that can be downloaded from here for various OS/archs. Feel free to either use the automated binaries or to build your own. If you submit a PR, images are not built by default and will require a retag from a maintainer to be built.

  1. Pull the Docker image

    • docker pull antoniomika/sish:latest
  2. Run the image

    • docker run -itd --name sish \
        -v ~/sish/ssl:/ssl \
        -v ~/sish/keys:/keys \
        -v ~/sish/pubkeys:/pubkeys \
        --net=host antoniomika/sish:latest \
        --ssh-address=:22 \
        --http-address=:80 \
        --https-address=:443 \
        --https=true \
        --https-certificate-directory=/ssl \
        --authentication-keys-directory=/pubkeys \
        --private-key-location=/keys/ssh_key \
        --bind-random-ports=false
  3. SSH to your host to communicate with sish

    • ssh -p 2222 -R 80:localhost:8080 ssi.sh

Docker Compose

You can also use Docker Compose to setup your sish instance. This includes taking care of SSL via Let's Encrypt for you. This uses the adferrand/dnsrobocert container to handle issuing wildcard certifications over DNS. For more information on how to use this, head to that link above. Generally, you can deploy your service like so:

docker-compose -f deploy/docker-compose.yml up -d

The domain and DNS auth info in deploy/docker-compose.yml and deploy/le-config.yml should be updated to reflect your needs. You will also need to create a symlink that points to your domain's Let's Encrypt certificates like:

ln -s /etc/letsencrypt/live/<your domain>/fullchain.pem deploy/ssl/<your domain>.crt
ln -s /etc/letsencrypt/live/<your domain>/privkey.pem deploy/ssl/<your domain>.key

Careful: the symlinks need to point to /etc/letsencrypt, not a relative path. The symlinks will not resolve on the host filesystem, but they will resolve inside of the sish container because it mounts the letsencrypt files in /etc/letsencrypt, not ./letsencrypt.

I use these files in my deployment of ssi.sh and have included them here for consistency.

Google Cloud Platform

There is a tutorial for creating an instance in Google Cloud Platform with sish fully setup that can be found here. It can be accessed through Google Cloud Shell.

Open in Cloud Shell

How it works

SSH can normally forward local and remote ports. This service implements an SSH server that only handles forwarding and nothing else. The service supports multiplexing connections over HTTP/HTTPS with WebSocket support. Just assign a remote port as port 80 to proxy HTTP traffic and 443 to proxy HTTPS traffic. If you use any other remote port, the server will listen to the port for TCP connections, but only if that port is available.

You can choose your own subdomain instead of relying on a randomly assigned one by setting the --bind-random-subdomains option to false and then selecting a subdomain by prepending it to the remote port specifier:

ssh -p 2222 -R foo:80:localhost:8080 ssi.sh

If the selected subdomain is not taken, it will be assigned to your connection.

Supported forwarding types

HTTP forwarding

sish can forward any number of HTTP connections through SSH. It also provides logging the connections to the connected client that has forwarded the connection and a web interface to see full request and responses made to each forwarded connection. Each webinterface can be unique to the forwarded connection or use a unified access token. To make use of HTTP forwarding, ports [80, 443] are used to tell sish that a HTTP connection is being forwarded and that HTTP virtualhosting should be defined for the service. For example, let's say I'm developing a HTTP webservice on my laptop at port 8080 that uses websockets and I want to show one of my coworkers who is not near me. I can forward the connection like so:

ssh -R hereiam:80:localhost:8080 ssi.sh

And then share the link https://hereiam.ssi.sh with my coworker. They should be able to access the service seamlessly over HTTPS, with full websocket support working fine. Let's say hereiam.ssi.sh isn't available, then sish will generate a random subdomain and give that to me.

TCP forwarding

Any TCP based service can be used with sish for TCP and alias forwarding. TCP forwarding will establish a remote port on the server that you deploy sish to and will forward all connections to that port through the SSH connection and to your local device. For example, if I was to run a SSH server on my laptop with port 22 and want to be able to access it from anywhere at ssi.sh:2222, I can use an SSH command on my laptop like so to forward the connection:

ssh -R 2222:localhost:22 ssi.sh

I can use the forwarded connection to then access my laptop from anywhere:

ssh -p 2222 ssi.sh

TCP alias forwarding

Let's say instead I don't want the service to be accessible by the rest of the world, you can then use a TCP alias. A TCP alias is a type of forwarded TCP connection that only exists inside of sish. You can gain access to the alias by using SSH with the -W flag, which will forwarding the SSH process' stdin/stdout to the fowarded TCP connection. In combination with authentication, this will guarantee your remote service is safe from the rest of the world because you need to login to sish before you can access it. Changing the example above for this would mean running the following command on my laptop:

ssh -R mylaptop:22:localhost:22 ssi.sh

sish won't publish port 22 or 2222 to the rest of the world anymore, instead it'll retain a pointer saying that TCP connections made from within SSH after a user has authenticated to mylaptop:22 should be forwarded to the forwarded TCP tunnel. Then I can use the forwarded connection access my laptop from anywhere using:

ssh -o ProxyCommand="ssh -W %h:%p ssi.sh" mylaptop

Shorthand for which is this with newer SSH versions:

ssh -J ssi.sh mylaptop

Authentication

If you want to use this service privately, it supports both public key and password authentication. To enable authentication, set --authentication=true as one of your CLI options and be sure to configure --authentication-password or --authentication-keys-directory to your liking. The directory provided by --authentication-keys-directory is watched for changes and will reload the authorized keys automatically. The authorized cert index is regenerated on directory modification, so removed public keys will also automatically be removed. Files in this directory can either be single key per file, or multiple keys per file separated by newlines, similar to authorized_keys. Password auth can be disabled by setting --authentication-password="" as a CLI option.

One of my favorite ways of using this for authentication is like so:

[email protected]:~/sish/pubkeys# curl https://github.com/antoniomika.keys > antoniomika

This will load my public keys from GitHub, place them in the directory that sish is watching, and then load the pubkey. As soon as this command is run, I can SSH normally and it will authorize me.

Custom domains

sish supports allowing users to bring custom domains to the service, but SSH key auth is required to be enabled. To use this feature, you must setup TXT and CNAME/A records for the domain/subdomain you would like to use for your forwarded connection. The CNAME/A record must point to the domain or IP that is hosting sish. The TXT record must be be a key=val string that looks like:

sish=SSHKEYFINGERPRINT

Where SSHKEYFINGERPRINT is the fingerprint of the key used for logging into the server. You can set multiple TXT records and sish will check all of them to ensure at least one is a match. You can retrieve your key fingerprint by running:

ssh-keygen -lf ~/.ssh/id_rsa | awk '{print $2}'

If you trust the users connecting to sish and would like to allow any domain to be used with sish (bypassing verification), there are a few added flags to aid in this. This is especially useful when adding multiple wildcard certificates to sish in order to not need to automatically provision Let's Encrypt certs. To disable verfication, set --bind-any-host=true, which will allow and subdomain/domain combination to be used. To only allow subdomains of a certain subset of domains, you can set --bind-hosts to a comma separated list of domains that are allowed to be bound.

To add certficates for sish to use, configure the --https-certificate-directory flag to point to a dir that is accessible by sish. In the directory, sish will look for a combination of files that look like name.crt and name.key. name can be arbitrary in either case, it just needs to be unique to the cert and key pair to allow them to be loaded into sish.

Load balancing

sish can load balance any type of forwarded connection, but this needs to be enabled when starting sish using the --http-load-balancer, --tcp-load-balancer, and --alias-load-balancer flags. Let's say you have a few edge nodes (raspberry pis) that are running a service internally but you want to be able to balance load across these devices from the outside world. By enabling load balancing in sish, this happens automatically when a device with the same forwarded TCP port, alias, or HTTP subdomain connects to sish. Connections will then be evenly distributed to whatever nodes are connected to sish that match the forwarded connection.

Whitelisting IPs

Whitelisting IP ranges or countries is also possible. Whole CIDR ranges can be specified with the --whitelisted-ips option that accepts a comma-separated string like "192.30.252.0/22,185.199.108.0/22". If you want to whitelist a single IP, use the /32 range.

To whitelist countries, use --whitelisted-countries with a comma-separated string of countries in ISO format (for example, "pt" for Portugal). You'll also need to set --geodb to true.

DNS Setup

To use sish, you need to add a wildcard DNS record that is used for multiplexed subdomains. Adding an A record with * as the subdomain to the IP address of your server is the simplest way to achieve this configuration.

Demo - At this time, the demo instance has been set to require auth due to abuse

There is a demo service (and my private instance) currently running on ssi.sh that doesn't require any authentication. This service provides default logging (errors, connection IP/username, and pubkey fingerprint). I do not log any of the password authentication data or the data sent within the service/tunnels. My deploy uses the exact deploy steps that are listed above. This instance is for testing and educational purposes only. You can deploy this extremely easily on any host (Google Cloud Platform provides an always-free instance that this should run perfectly on). If the service begins to accrue a lot of traffic, I will enable authentication and then you can reach out to me to get your SSH key whitelisted (make sure it's on GitHub and you provide me with your GitHub username).

Notes

  1. This is by no means production ready in any way. This was hacked together and solves a fairly specific use case.
    • You can help it get production ready by submitting PRs/reviewing code/writing tests/etc
  2. This is a fairly simple implementation, I've intentionally cut corners in some places to make it easier to write.
  3. If you have any questions or comments, feel free to reach out via email [email protected] or on freenode IRC #sish

Upgrading to v1.0

There are numerous breaking changes in sish between pre-1.0 and post-1.0 versions. The largest changes are found in the mapping of command flags and configuration params. Those have changed drastically, but it should be easy to find the new counterpart. The other change is SSH keys that are supported for host key auth. sish continues to support most modern keys, but by default if a host key is not found, it will create an OpenSSH ED25519 key to use. Previous versions of sish would aes encrypt the pem block of this private key, but we have since moved to using the native OpenSSH private key format to allow for easy interop between OpenSSH tools. For this reason, you will either have to manually convert an AES encrypted key or generate a new one.

CLI Flags

sish is a command line utility that implements an SSH server that can handle HTTP(S)/WS(S)/TCP multiplexing, forwarding and load balancing.
It can handle multiple vhosting and reverse tunneling endpoints for a large number of clients.

Usage:
  sish [flags]

Flags:
      --admin-console                               Enable the admin console accessible at http(s)://domain/_sish/console?x-authorization=admin-console-token
  -j, --admin-console-token string                  The token to use for admin console access if it's enabled (default "S3Cr3tP4$$W0rD")
      --alias-load-balancer                         Enable the alias load balancer (multiple clients can bind the same alias)
      --append-user-to-subdomain                    Append the SSH user to the subdomain. This is useful in multitenant environments
      --append-user-to-subdomain-separator string   The token to use for separating username and subdomain selection in a virtualhost (default "-")
      --authentication                              Require authentication for the SSH service
  -k, --authentication-keys-directory string        Directory where public keys for public key authentication are stored.
                                                    sish will watch this directory and automatically load new keys and remove keys
                                                    from the authentication list (default "deploy/pubkeys/")
  -u, --authentication-password string              Password to use for ssh server password authentication (default "S3Cr3tP4$$W0rD")
      --banned-aliases string                       A comma separated list of banned aliases that users are unable to bind
  -o, --banned-countries string                     A comma separated list of banned countries. Applies to HTTP, TCP, and SSH connections
  -x, --banned-ips string                           A comma separated list of banned ips that are unable to access the service. Applies to HTTP, TCP, and SSH connections
  -b, --banned-subdomains string                    A comma separated list of banned subdomains that users are unable to bind (default "localhost")
      --bind-any-host                               Bind any host when accepting an HTTP listener
      --bind-hosts string                           A comma separated list of other hosts a user can bind. Requested hosts should be subdomains of a host in this list
      --bind-random-aliases                         Force bound alias tunnels to use random aliases instead of user provided ones (default true)
      --bind-random-aliases-length int              The length of the random alias to generate if a alias is unavailable or if random aliases are enforced (default 3)
      --bind-random-ports                           Force TCP tunnels to bind a random port, where the kernel will randomly assign it (default true)
      --bind-random-subdomains                      Force bound HTTP tunnels to use random subdomains instead of user provided ones (default true)
      --bind-random-subdomains-length int           The length of the random subdomain to generate if a subdomain is unavailable or if random subdomains are enforced (default 3)
      --cleanup-unbound                             Cleanup unbound (unforwarded) SSH connections after a set timeout (default true)
      --cleanup-unbound-timeout duration            Duration to wait before cleaning up an unbound (unforwarded) connection (default 5s)
  -c, --config string                               Config file (default "config.yml")
      --debug                                       Enable debugging information
  -d, --domain string                               The root domain for HTTP(S) multiplexing that will be appended to subdomains (default "ssi.sh")
      --force-requested-aliases                     Force the aliases used to be the one that is requested. Will fail the bind if it exists already
      --force-requested-ports                       Force the ports used to be the one that is requested. Will fail the bind if it exists already
      --force-requested-subdomains                  Force the subdomains used to be the one that is requested. Will fail the bind if it exists already
      --geodb                                       Use a geodb to verify country IP address association for IP filtering
  -h, --help                                        help for sish
  -i, --http-address string                         The address to listen for HTTP connections (default "localhost:80")
      --http-load-balancer                          Enable the HTTP load balancer (multiple clients can bind the same domain)
      --http-port-override int                      The port to use for http command output. This does not effect ports used for connecting, it's for cosmetic use only
      --https                                       Listen for HTTPS connections. Requires a correct --https-certificate-directory
  -t, --https-address string                        The address to listen for HTTPS connections (default "localhost:443")
  -s, --https-certificate-directory string          The directory containing HTTPS certificate files (name.crt and name.key). There can be many crt/key pairs (default "deploy/ssl/")
      --https-ondemand-certificate                  Enable retrieving certificates on demand via Let's Encrypt
      --https-ondemand-certificate-accept-terms     Accept the Let's Encrypt terms
      --https-ondemand-certificate-email string     The email to use with Let's Encrypt for cert notifications. Can be left blank
      --https-port-override int                     The port to use for https command output. This does not effect ports used for connecting, it's for cosmetic use only
      --idle-connection                             Enable connection idle timeouts for reads and writes (default true)
      --idle-connection-timeout duration            Duration to wait for activity before closing a connection for all reads and writes (default 5s)
      --load-templates                              Load HTML templates. This is required for admin/service consoles (default true)
      --load-templates-directory string             The directory and glob parameter for templates that should be loaded (default "templates/*")
      --localhost-as-all                            Enable forcing localhost to mean all interfaces for tcp listeners (default true)
      --log-to-client                               Enable logging HTTP and TCP requests to the client
      --log-to-file                                 Enable writing log output to file, specified by log-to-file-path
      --log-to-file-compress                        Enable compressing log output files
      --log-to-file-max-age int                     The maxium number of days to store log output in a file (default 28)
      --log-to-file-max-backups int                 The maxium number of rotated logs files to keep (default 3)
      --log-to-file-max-size int                    The maximum size of outputed log files in megabytes (default 500)
      --log-to-file-path string                     The file to write log output to (default "/tmp/sish.log")
      --log-to-stdout                               Enable writing log output to stdout (default true)
      --ping-client                                 Send ping requests to the underlying SSH client.
                                                    This is useful to ensure that SSH connections are kept open or close cleanly (default true)
      --ping-client-interval duration               Duration representing an interval to ping a client to ensure it is up (default 5s)
      --ping-client-timeout duration                Duration to wait for activity before closing a connection after sending a ping to a client (default 5s)
  -n, --port-bind-range string                      Ports or port ranges that sish will allow to be bound when a user attempts to use TCP forwarding (default "0,1024-65535")
  -l, --private-key-location string                 The location of the SSH server private key. sish will create a private key here if
                                                    it doesn't exist using the --private-key-passphrase to encrypt it if supplied (default "deploy/keys/ssh_key")
  -p, --private-key-passphrase string               Passphrase to use to encrypt the server private key (default "S3Cr3tP4$$phrAsE")
      --proxy-protocol                              Use the proxy-protocol while proxying connections in order to pass-on IP address and port information
      --proxy-protocol-listener                     Use the proxy-protocol to resolve ip addresses from user connections
      --proxy-protocol-policy string                What to do with the proxy protocol header. Can be use, ignore, reject, or require (default "use")
      --proxy-protocol-timeout duration             The duration to wait for the proxy proto header (default 200ms)
      --proxy-protocol-use-timeout                  Use a timeout for the proxy-protocol read
  -q, --proxy-protocol-version string               What version of the proxy protocol to use. Can either be 1, 2, or userdefined.
                                                    If userdefined, the user needs to add a command to SSH called proxyproto:version (ie proxyproto:1) (default "1")
      --redirect-root                               Redirect the root domain to the location defined in --redirect-root-location (default true)
  -r, --redirect-root-location string               The location to redirect requests to the root domain
                                                    to instead of responding with a 404 (default "https://github.com/antoniomika/sish")
      --service-console                             Enable the service console for each service and send the info to connected clients
  -m, --service-console-token string                The token to use for service console access. Auto generated if empty for each connected tunnel
  -a, --ssh-address string                          The address to listen for SSH connections (default "localhost:2222")
      --tcp-aliases                                 Enable the use of TCP aliasing
      --tcp-load-balancer                           Enable the TCP load balancer (multiple clients can bind the same port)
      --time-format string                          The time format to use for both HTTP and general log messages (default "2006/01/02 - 15:04:05")
      --verify-dns                                  Verify DNS information for hosts and ensure it matches a connecting users sha256 key fingerprint (default true)
      --verify-ssl                                  Verify SSL certificates made on proxied HTTP connections (default true)
  -v, --version                                     version for sish
  -y, --whitelisted-countries string                A comma separated list of whitelisted countries. Applies to HTTP, TCP, and SSH connections
  -w, --whitelisted-ips string                      A comma separated list of whitelisted ips. Applies to HTTP, TCP, and SSH connections
Issues
  • Help in use with SSLH, Advanced SSH, and ProxyJump, using the SISH Docker Image

    Help in use with SSLH, Advanced SSH, and ProxyJump, using the SISH Docker Image

    Hello!
         I wish to use sish with sslh and ProxyJumps, but I can't seem to figure out how to set this up; what I'd like to do is ssh into my Linode VPS, caught by sslh on ports 443 and 80, and using sish, jump to my Raspbery Pi 3 at home, then jump to my primary server, a laptop.
         Any help with setting such a system up will be greatly appreciated!

    opened by shadowrylander 57
  • Questions and bugs on the way to 1.0

    Questions and bugs on the way to 1.0

    Hi @antoniomika - your tool is great. But current release throwing me an error:

    2020/05/25 - 17:32:56 | Starting SSH service on address: localhost:2222
    2020/05/25 - 17:32:56 | ssh: invalid openssh private key format
    

    Getting this in latest docker and standalone binary. How to create correct keys and folder structure for new version?

    opened by andreasunterhuber 18
  • Not Working-just commit info in logs

    Not Working-just commit info in logs

    It is not working.

    When I execute ssh -p 2222 -R sync:80:localhost:8384 capcloud.live

    I get not. When I check logs I see.....

    Date: 2020-05-03T03:22:51Z Version: v1.0.0-rc Commit: 93028414cc94378b0d9177199608efce3090577d Date: 2020-05-03T03:22:51Z Version: v1.0.0-rc Commit: 93028414cc94378b0d9177199608efce3090577d Date: 2020-05-03T03:22:51Z Version: v1.0.0-rc Commit: 93028414cc94378b0d9177199608efce3090577d Date: 2020-05-03T03:22:51Z

    opened by capriciousduck 15
  • Update

    Update

    I see there were many updates to your app. Do I need to re-create my docker container to have any updated version?

    opened by capriciousduck 14
  • kex_exchange_identification: Connection closed by remote host

    kex_exchange_identification: Connection closed by remote host

    I'm evaluating replacement of existing ngrok, however I encounter error.

    Here is my testing environment

    1. Sish Server, which host sish service in Azure VM and start with command.
    sudo docker run -d --rm --name sish \
      -v `pwd`/ssl:/ssl \
      -v `pwd`/keys:/keys \
      -v `pwd`/pubkeys:/pubkeys \
      # also tried latest version
      --net=host antoniomika/sish:v1.0.10 \
      --ssh-address=:2222 \
      --http-address=:80 \
      --https-address=:443 \
      --https=true \
      --https-certificate-directory=/ssl \
      --authentication-keys-directory=/pubkeys \
      --private-key-location=/keys/ssh_key \
      --bind-random-ports=false \
      --domain=sish.jonasc.dev \
      --debug=true
    
    1. Target host, which simulate a client behind NAT. To compare ngrok and sish, I start ngrok.service and ssh command
    ssh -p 2222 -R localhost:22 sish.jonasc.dev
    
    The authenticity of host '[sish.jonasc.dev]:2222 ([138.91.40.243]:2222)' can't be established.
    ED25519 key fingerprint is SHA256:pI0c5nUORoAw4CUy4NcrMQlQJvpwcN316+AmJ5B7+Ew.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '[sish.jonasc.dev]:2222,[138.91.40.243]:2222' (ED25519) to the list of known hosts.
    Press Ctrl-C to close the session.
    
    The TCP port :22 is unavailable. Assigning a random port.
    Starting SSH Forwarding service for tcp:22. Forwarded connections can be accessed via the following methods:
    TCP: sish.jonasc.dev:41729
    
    1. My laptop, which I intend to ssh login from

    I can login via ngrok, however can't via sish.

    ssh -vvv -i ~/.ssh/id_rsa [email protected] -p 41729
    
    OpenSSH_8.1p1, LibreSSL 2.7.3
    debug1: Reading configuration data /Users/jonas/.ssh/config
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: /etc/ssh/ssh_config line 47: Applying options for *
    debug1: Connecting to sish.jonasc.dev port 41729.
    debug1: Connection established.
    debug1: identity file /Users/jonas/.ssh/id_rsa type 0
    debug1: identity file /Users/jonas/.ssh/id_rsa-cert type -1
    debug1: Local version string SSH-2.0-OpenSSH_8.1
    kex_exchange_identification: Connection closed by remote host
    

    I google similar error, however most of solution does not works to me. As I believe target host sshd configuration works for ngrok, and it should work for sish too. Could you light me what mistake I made? Thanks!

    bug 
    opened by JonasChengAsus 13
  • A Google Compute Engine setup guide

    A Google Compute Engine setup guide

    Hi, i've been trying to set this up on a GCE f1-micro vm, but i'm not quite sure how to go about that (I did try a few things in the dashboard thing, and i have been able to get it to start and bind to a port, but now i have issues configuring it, exposing the ssh server etc.), and I haven't been able to find any tutorials that use GCE, i'll probably be able to figure it out after staring at the documentation for a bit longer but a easy straight forward guide specifically with sish in mind would be nice :)

    Thanks!

    enhancement 
    opened by lmarianski 12
  • Connection to sish-host.com closed by remote host.

    Connection to sish-host.com closed by remote host.

    Hey, love the project and mostly working well! I have got the server up and running (currently on an AWS EC2 instance). I can connect to it from all of the following with a standard ssh -oStrictHostKeyChecking=no -p 2222 -R ben:80:localhost:80 sish-host.com

    • [x] Remote CentOS Server
    • [x] Windows PowerShell
    • [x] Local docker container (docker exec -it xxxxxxx sh)

    But the second I run this within a container (docker run or compose), it just fails. I've tried just about everything I could think of, but can't work it out. This is the ssh -v output

    debug1: Reading configuration data /etc/ssh/ssh_config
    Pseudo-terminal will not be allocated because stdin is not a terminal.
    debug1: Connecting to sish-host.com [99.99.99.99] port 2222.
    debug1: Connection established.
    debug1: identity file /root/.ssh/id_rsa type -1
    debug1: identity file /root/.ssh/id_rsa-cert type -1
    debug1: identity file /root/.ssh/id_dsa type -1
    debug1: identity file /root/.ssh/id_dsa-cert type -1
    debug1: identity file /root/.ssh/id_ecdsa type -1
    debug1: identity file /root/.ssh/id_ecdsa-cert type -1
    debug1: identity file /root/.ssh/id_ed25519 type -1
    debug1: identity file /root/.ssh/id_ed25519-cert type -1
    debug1: identity file /root/.ssh/id_xmss type -1
    debug1: identity file /root/.ssh/id_xmss-cert type -1
    debug1: Local version string SSH-2.0-OpenSSH_8.1
    debug1: Remote protocol version 2.0, remote software version Go
    debug1: no match: Go
    debug1: Authenticating to sish-host.com:2222 as 'root'
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: algorithm: [email protected]
    debug1: kex: host key algorithm: ssh-rsa
    debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
    debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
    debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
    debug1: Server host key: ssh-rsa SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    debug1: checking without port identifier
    Warning: Permanently added '[sish-host.com]:2222,[99.99.99.99]:2222' (RSA) to the list of known hosts.
    debug1: rekey out after 134217728 blocks
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: rekey in after 134217728 blocks
    debug1: Will attempt key: /root/.ssh/id_rsa
    debug1: Will attempt key: /root/.ssh/id_dsa
    debug1: Will attempt key: /root/.ssh/id_ecdsa
    debug1: Will attempt key: /root/.ssh/id_ed25519
    debug1: Will attempt key: /root/.ssh/id_xmss
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentication succeeded (none).
    Authenticated to sish-host.com ([99.99.99.99]:2222).
    debug1: Remote connections from ben:80 forwarded to local address localhost:80
    debug1: channel 0: new [client-session]
    debug1: Entering interactive session.
    debug1: pledge: network
    Press Ctrl-C to close the session.
    Starting SSH Fowarding service for http:80. Forwarded connections can be accessed via the
    following methods:
    HTTP: http://ben.sish-host.com:80
    HTTPS: https://ben.sish-host.com:443
    debug1: channel 0: free: client-session, nchannels 1
    debug1: fd 0 clearing O_NONBLOCK
    debug1: fd 2 clearing O_NONBLOCK
    Connection to sish-host.com closed by remote host.
    Transferred: sent 1700, received 1512 bytes, in 0.0 seconds
    Bytes per second: sent 42334.2, received 37652.5
    debug1: Exit status -1
    sish_1 exited with code 255
    

    This is the server-side

    15:44:05 Accepted SSH connection for: 44.44.44.44:58208
    15:44:05 Main Channel Info session
    15:44:05 Handling session for connection: &{session [] 0 0 32768 32768 0xc000162a10 true 0 0xc000205740 {0 0} 0xc0002056e0 false {0xc00014be40 2097152 0 false} 0xc000208f00 0xc000208f40 {0 0} 2097152 {0 0} false map[]}
    15:44:05 Main Request Info tcpip-forward true benP
    15:44:05 Error trying to write message to socket: read tcp 10.0.2.4:2222->44.44.44.44:58208: use of closed network connection
    15:44:05 Closed SSH connection for: 44.44.44.44:58208 user: root
    15:44:13 =======Start=========
    15:44:13 ===Goroutines=====
    15:44:13 10
    15:44:13 ===Listeners======
    15:44:13 [::]:2222 &{0xc0000cf500 {<nil> 0}}
    15:44:13 ===Clients========
    15:44:13 ===HTTP Clients===
    15:44:13 ========End==========
    

    Where 99.99.99.99 is sish on the EC2 server and 44.44.44.44 is my local IP.

    I have been using this as a basis https://github.com/jacobtomlinson/docker-serveo. It works fine with my serveo instance on the same 99.99.99.99 server. For the purposes of testing, I created a minimal Dockerfile, which is confirmed and working with Serveo, but not with sish.

    FROM alpine:3
    
    RUN apk --no-cache add openssh
    ENTRYPOINT ["ssh", "-v", "-oStrictHostKeyChecking=no", "-p", "2222", "-R", "ben:80:localhost:80", "sish-host.com"]
    

    Here are my sish params

          -sish.addr=:2222
          -sish.auth=false
          -sish.https=:443
          -sish.http=:80
          -sish.httpsenabled=true
          -sish.httpspems=/etc/letsencrypt/live/sish-host.com
          -sish.keysdir=/pubkeys
          -sish.password=""
          -sish.pkloc=/keys/ssh_key
          -sish.bindrandom=false
          -sish.domain=sish-host.com
          -sish.forcerandomsubdomain=false
          -sish.debug=true
    

    If I can do anything to support, please let me know. Thanks again!

    opened by BenHarris 11
  • Question: Using sish as a

    Question: Using sish as a "port forwarding slave"

    Hello there!

    Due to how my ISP has set up my broadband access, I can not do port-forwarding from my router - or, my type of connection in general. To be honest, I am not exactly sure what is preventing me from port-forwarding...but, I have to do with what I have. :)

    That is why I have been looking for a way to expose ports on my local homeserver to my server, to utilize NGINX as a reverse proxy to access them. So, I have a few questions:

    1. Can I run sish to forward only HTTP and TCP connections, so that I can NGINX to add my HTTPS certificates ontop?
    2. I would like to dedicate the subdomain home.ingwie.io to everything related to my homeserver and use subdomains to differenciate between the various things running on it. I am not aware if NGINX has wildcard support in server_name though - but, I wouldn't be surprised if it did. That way, I could run another instance of NGINX on my homeserver to handle subdomains (foo.home.ingwie.io for instance). What would be the flags I'd have to pass to sish to tell it that home.ingwie.io is the main domain to use?
    3. Do you know if any way to automate SSH tunnel setup? I am using an older Mac Mini server and I do have a general idea of how to set up launchd services to run commands much like systemd. What commands would I have to use to bring up a tunnel, shut it down or verify it's status?

    I am looking forward to your reply!

    Kind regards, Ingwie

    opened by IngwiePhoenix 11
  •  Api interface for ssh tunnel management

    Api interface for ssh tunnel management

    Suggested features: kill tunnel, list of active tunnels, number of active tunnels, info about specified tunnel (like in log - 2019/12/14 - 19:34:00 | host.com | 200 | 6.792909ms | ip | GET /api/v2/test) ,tunnel stats with bytes in/out , list of dropped tunnels with timestamp and reason

    opened by fork04 10
  • Strange behaviour when trying to use server-sent events (SSE) - possibly compression related?

    Strange behaviour when trying to use server-sent events (SSE) - possibly compression related?

    I was testing out sish for use with a Webpack-based dev server, and noticed that for some reason, sish breaks the hot module replacement (HMR) feature which is using server-sent events (SSE) to push code changes to the browser.

    I made a screen recording of the phenomenon. The top browser window is being accessed via sish, whereas the bottom window is being accessed directly:

    https://user-images.githubusercontent.com/100152/133586149-1693b0a2-2934-4d4c-84d3-44ba8b4483eb.mov

    As you can see, the sish version takes a few updates to start working. Once it starts working, it seems to usually be one update behind, but also misses some updates entirely. The only possible culprit I can think of is compression, because it's known to cause issues with SSE - see this explanation:

    To compress content, a window of the output needs to be buffered up in order to get good compression. Typically when using server-sent events, there are certain block of data that need to reach the client.

    I don't really know how to turn this into a nice reproducible demo unfortunately. The specific package doing the SSE in this case is webpack-hot-middleware, but I'm not sure that helps much. I tried to create a much smaller reproduction with a simple SSE server, but had no luck getting the same problem to occur.

    opened by ezzatron 10
  • Pubkey authentication does not work for Archlinux clients, asks for password

    Pubkey authentication does not work for Archlinux clients, asks for password

    I noticed today that my Arch machine is always required to input a password when hosting a tunnel or connecting to one. At first I thought I had copied my pubkey to sish's directory incorrectly. I fiddled with it a bunch and I ended up creating a new one without any luck. I also tried explicitly disabling password auth with -o PasswordAuthentication=no which didn't work.

    For comparison I tried the same thing from my raspberry pi (Ubuntu). As expected, adding my Pi's public key in the pubkey directory allowed both hosting a tunnel and connecting to an existing one without entering a password. I verified the correct behavior using WSL/Ubuntu on my Windows machine and the ubuntu:rolling docker image.

    I found you can reproduce the problem with the Arch image:

    1. docker run -it --rm archlinux:latest
    2. pacman -Sy
    3. pacman -S openssh
    4. ssh-keygen (no args or passcode)
    5. Copy pubkey to sish's directory
    6. ssh -R test:22:localhost:22 whereever_sish_is

    It appears to be a difference of clients. Pubkey auth works fine for other SSH services (github, gitlab, etc). Arch is on OpenSSH 8.8 and Ubuntu is 8.2. Does anyone have anything else I could try?

    opened by misterzirillo 0
  • Explicit parameter to setup a TCP Alias tunnel instead of a HTTP(S) proxy

    Explicit parameter to setup a TCP Alias tunnel instead of a HTTP(S) proxy

    Hello,

    This is a new feature request for an optional explicit parameter to setup a TCP alias tunnel instead of a HTTP(S) tunnel. Something like : ssh -R myalias:80:127.0.0.1:80 sish.server type=tcp-alias In the same spirit as the other explicit parameters, like the ones introduced for #167.

    Currently if we choose the port defined for either HTTP or HTTPS, sish will create a HTTP(S) tunnel and use the alias to compute the subdomain, which is great by default. Since #198 we can even change the default ports used for HTTP and HTTPS to something different than 80 and 443.

    But adding an explicit parameter would be even more convenient to allow both at the same time and let the client choose. This would offer another resolution to #185 as well.

    Thank you!

    opened by blop 0
  • Request auto close the ssh client if the requested domain is unavailable.

    Request auto close the ssh client if the requested domain is unavailable.

    image I use Docker to run the tunnel but when the requested domain is unavailable it cannot auto restart because the ssh didn't auto close. Please add this feature!

    question 
    opened by sonntuet1997 3
  • Enable authentication by default/automatically

    Enable authentication by default/automatically

    While looking at the readme again, i've realized that my current setup just doesn't need any kind of authentication. Looking again at the readme I think, that the provided docker command also has authentication disabled (it uses --authentication-keys-directory but not --authentication=true - i've copied the relevant args from the docker command and felt safe due to the --authentication-keys-directory).

    Ways to fix it:

    1. Leave authentication disabled by default but enable it when --authentication-keys-directory or --authentication-password is used
    • doesn't break anything
    • may create problems, when users rely on default pubkey directory
    1. Remove the --authentication flag and don't use default values for pubkey directory or password. If the user want's authentication he has to explicitly specify the directory or the password.
    • only breaks slightly (as the --authentication flag is now unknown and will throw an error)
    • One flag less to worry about
    • Users using the default pubkey directory are still insecure after upgrading (if they assumed that authentication was enabled by default or when they place keys in the directory)
    1. Enable authentication by default and (maybe) replace the --authentication flag by --disable-authentication to be more explicit.
    • breaks all unauthenticated setups (and all others when also changing the flag)
    • User has to explicitly make it insecure/public

    Option 3 is the safest option, but I wouldn't mind using option 2 to keep some backwards compability

    enhancement good first issue 
    opened by bibo38 1
  • Add an example in the wiki for a standard non-Docker systemd script?

    Add an example in the wiki for a standard non-Docker systemd script?

    It would be nice to have an example standard non-Docker systemd script, for the benefit of those running this outside a container.

    enhancement good first issue 
    opened by srk 3
  • Force a particular port for particular machine

    Force a particular port for particular machine

    I am working on a simple API to manage computers that connect to my sish. Because I want to know exactly which machine has which port and I want to prevent users from changing the remote port in their autossh configurations.

    I am using ssh key authentication only - every computer is represented by one key file with filename equal to their id in my database.

    It would be nice if I could force the usage of a particular port for a particular computer represented by the key

    enhancement 
    opened by santomet 0
Releases(v1.1.7)
ngrok : Introspected tunnels to localhost

ngrok - Introspected tunnels to localhost (homepage) ”I want to expose a local server behind a NAT or firewall to the internet.” What is ngrok? ngrok

null 0 Oct 27, 2021
Multiplexer over TCP. Useful if target server only allows you to create limited tcp connections concurrently.

tcp-multiplexer Use it in front of target server and let your client programs connect it, if target server only allows you to create limited tcp conne

许嘉华 3 May 27, 2021
Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH.

Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Written in Go (golang). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network.

Jaime Pillora 6.5k Dec 2, 2021
Golang `net/rpc` over SSH using installed SSH program

Golang net/rpc over SSH using installed SSH program This package implements a helper functions to launch an RPC client and server. It uses the install

null 0 Nov 5, 2021
LazySSH is an SSH server that acts as a jump host only, and dynamically starts temporary virtual machines.

LazySSH is an SSH server that acts as a jump host only, and dynamically starts temporary virtual machines. If you find yourself briefly starti

Stéphan Kochen 467 Dec 1, 2021
Create a dynamic fou tunnels works behind NAT

Dynamic Linux Tunneling This software creates Gretap Tunnels over FOU for Dynamic client endpoints. It also works behind NAT444 (CGN-LSN). You can use

Ahmet ÖZER 2 Nov 4, 2021
TcpRoute , TCP 层的路由器。对于 TCP 连接自动从多个线路(电信、联通、移动)、多个域名解析结果中选择最优线路。

TcpRoute2 TcpRoute , TCP 层的路由器。对于 TCP 连接自动从多个线路(允许任意嵌套)、多个域名解析结果中选择最优线路。 TcpRoute 使用激进的选路策略,对 DNS 解析获得的多个IP同时尝试连接,同时使用多个线路进行连接,最终使用最快建立的连接。支持 TcpRoute

GameXG 835 Nov 28, 2021
🤘 The native golang ssh client to execute your commands over ssh connection. 🚀🚀

Golang SSH Client. Fast and easy golang ssh client module. Goph is a lightweight Go SSH client focusing on simplicity! Installation ❘ Features ❘ Usage

Mohamed El Bahja 868 Nov 29, 2021
Extended ssh-agent which supports git commit signing over ssh

ssh-agentx ssh-agentx Rationale Requirements Configuration ssh-agentx Configuration ssh-gpg-signer Linux Windows Signing commits after configuration T

Wim 3 May 18, 2021
Simple HTTP tunnel using SSH remote port forwarding

Simple HTTP tunnel using SSH remote port forwarding

Skye L. 16 Jul 27, 2021
Serve traffic (HTTP/gRPC) over SSH using Domain Sockets

Serve On SSH Introduction There is often a need to offer services for administrative purposes on servers or even for microservices that are running on

John Doak 6 Nov 12, 2021
TCP proxy, highjacks HTTP to allow CORS

portproxy A shitty TCP proxy that relays all requests to a local port to a remote server. portproxy -port 8080 -raddr google.com:80 Will proxy all TC

Antoine Grondin 45 May 29, 2021
开箱即用的基于命令的消息处理框架,让 websocket 和 tcp 开发就像 http 那样简单

Cmd Srv 开箱即用的基于命令的消息处理框架,让 websocket 和 tcp 开发就像 http 那样简单

Eyas 19 Nov 8, 2021
A library to simplify writing applications using TCP sockets to stream protobuff messages

BuffStreams Streaming Protocol Buffers messages over TCP in Golang What is BuffStreams? BuffStreams is a set of abstraction over TCPConns for streamin

Sean Kelly 247 Nov 11, 2021
A TCP socket based chat server implemented using Go

Go Chat Server A better TCP socket chat server implemented using Go Connecting nc localhost 5000 Docker Build the container image docker build -t grub

Christopher Gruber 0 Oct 16, 2021
Detect nmap TCP SYN scans (-sS) using gopacket in golang.

Setup Fetch dependencies using apt (PRs welcome for concise instructions for other package managers): sudo apt install libpcap-dev git clone https://

null 1 Oct 25, 2021
P2P Forwarder - a tool for farwarding tcp/udp ports. Made using libp2p.

P2P Forwarder A tool for farwarding ports. Made using libp2p. How it works A: opens desired ports ports inside P2P Forwarder A: shares it's id from P2

null 24 Nov 8, 2021
lite version of gobuster. Only subdomain brute. 内网轻量化子域名爆破工具

gobusterdns lite version of gobuster. Only subdomain brute. 内网轻量化子域名爆破工具 适合指定dns跑内网子域名 与原版的修改 精简功能,仅支持子域名扫描 可导入domain list文件扫描

TimWhite 34 Nov 29, 2021