A memory-safe SSH server, focused on listening only on VPN networks such as Tailscale

Overview

Build status Download

Features

  • Is tested to work with SCP
  • Integrates well with systemd

Quickstart

Download binary for your architecture. We only support Linux.

  • If you don't have /etc/ssh/ssh_host_ed25519_key (from previous OpenSSH installation perhaps), run $ ./function22 host-key-generate to generate it.
  • Run $ ./function22 install to start on system startup.

Security

These things improve security when compared to default OpenSSH installation:

  • Restricts SSH listening to a VPN interface (like Tailscale), so your SSH server is not reachable directly from public internet.
  • Fully memory safe implementation (Go has native support for SSH protocol).
  • Less features => less attack surface.
    • Only support ed25519 host key

Of course there are security points that OpenSSH is better at, like having had magnitudes of more security-conscious people looking at its source code. It is you who ultimately are responsible for your own security, so please consider all implications. :)

Why authenticate at all?

In theory since Tailscale already has "IP is identity" and network-level access controls are by user / device combos, you wouldn't need to authenticate the user at all.

I.e. IP packets arriving at the SSH server (from VPN IP range) is already a sign that user's end device passes firewall ACLs.

Currently we still do additional auth for layered security. Once we gain more confidence on the code and understand additional attack vectors better, source-IP-restricted access will be considered.

TODO

  • Log all failed connection attempts (even though we have network-level security)
  • Perhaps disable password authentication entirely
  • Perhaps use systemd socket activation? Or is that possible when bound to a specific network interface's IP? Seems possible.
  • Make this a library, so it can be embedded in other projects
You might also like...
A fork of the simple WireGuard VPN server GUI community maintained
A fork of the simple WireGuard VPN server GUI community maintained

Subspace - A simple WireGuard VPN server GUI Subspace - A simple WireGuard VPN server GUI Slack Screenshots Features Contributing Setup 1. Get a serve

⛵ EdgeVPN: the immutable, decentralized, statically built VPN. NO central server!

⛵ EdgeVPN Fully Decentralized. Immutable. Portable. Easy to use Statically compiled VPN Usage Generate a config: ./edgevpn -g config.yaml Run it on

A Wireguard VPN Server Manager and API to add and remove clients

Wireguard Manager And API A manager and API to add, remove clients as well as other features such as an auto reapplier which deletes and adds back a c

 Terraform Provider for Pritunl VPN Server
Terraform Provider for Pritunl VPN Server

Terraform Provider for Pritunl VPN Server Website: https://www.terraform.io Pritunl VPN Server: https://pritunl.com/ Provider: disc/pritunl Requiremen

The server-pubsub is the main backend of DATAVOC project that manages all the other web-server modules of the same project such as the processor

server-pubsub The server-pubsub is the main backend of DATAVOC project that manages all the other web-server modules of the same project such as the p

`kawipiko` -- blazingly fast static HTTP server -- focused on low latency and high concurrency, by leveraging Go, `fasthttp` and the CDB embedded database
`kawipiko` -- blazingly fast static HTTP server -- focused on low latency and high concurrency, by leveraging Go, `fasthttp` and the CDB embedded database

kawipiko -- blazingly fast static HTTP server kawipiko is a lightweight static HTTP server written in Go; focused on serving static content as fast an

A TCP proxy used to expose services onto a tailscale network without root. Ideal for container environments.

tailscale-sidecar This is barely tested software, I don't guarantee it works but please make an issue if you use it and find a bug. Pull requests are

Example of how to write reverse proxy in Go that runs on Cloud Run with Tailscale

Cloudrun Tailscale Reverse Proxy Setup Create a ephemeral key in Tailscale Set TAILSCALE_AUTHKEY in your Cloud Run environment variables Set TARGET_UR

A pair of local reverse proxies (one in Windows, one in Linux) for Tailscale on WSL2

tailscale-wsl2 TL;DR Running two reverse proxies (one in Windows, one in the WSL2 Linux VM), the Windows Tailscale daemon can be accessed via WSL2: $

Comments
Releases(20220109_1427_6bd113ed)
Owner
function61.com
Less bullshit, more software that people ❤️ using.
function61.com
A Lightweight VPN Built on top of Libp2p for Truly Distributed Networks.

Hyprspace A Lightweight VPN Built on top of Libp2p for Truly Distributed Networks. demo.mp4 Table of Contents A Bit of Backstory Use Cases A Digital N

Hyprspace 315 Sep 23, 2022
Cdn - CDN microservice to upload files to zachlatta.com that only accepts traffic from Tailscale IPs

cdn CDN microservice to upload files to zachlatta.com that only accepts traffic from Tailscale IPs. source code available at https://github.com/zachla

zach latta 2 Jun 26, 2022
scrapligo -- is a Go library focused on connecting to devices, specifically network devices (routers/switches/firewalls/etc.) via SSH and NETCONF.

scrapligo -- scrap(e c)li (but in go!) -- is a Go library focused on connecting to devices, specifically network devices (routers/switches/firewalls/etc.) via SSH and NETCONF.

null 146 Sep 18, 2022
Podbit is a replacement for newsboat's standard podboat tool for listening to podcasts.

Podbit - Podboat Improved Podbit is a replacement for newsboat's standard podboat tool for listening to podcasts. It is minimal, performant and abides

Ethan Marshall 9 Jul 30, 2022
Automatically exposes the remote container's listening ports back to the local machine

Auto-portforward (apf) A handy tool to automatically set up proxies that expose the remote container's listening ports back to the local machine. Just

Ruoshan Huang 278 Sep 9, 2022
Headscale - An open source, self-hosted implementation of the Tailscale control server

Headscale - An open source, self-hosted implementation of the Tailscale control server

Juan Font 8.1k Sep 26, 2022
Provides agent and server plugins for SPIRE to allow Tailscale node attestation.

SPIRE Tailscale Plugin ⚠️ this node attestation plugin relies on a Tailscale OIDC id-token feature, which is marked as Work-in-Progress and may not be

Johan Siebens 9 May 22, 2022
LazySSH is an SSH server that acts as a jump host only, and dynamically starts temporary virtual machines.

LazySSH is an SSH server that acts as a jump host only, and dynamically starts temporary virtual machines. If you find yourself briefly starti

Stéphan Kochen 475 Sep 9, 2022
Gsshrun - Running commands via ssh on the server/hosting (if ssh support) specified in the connection file

Gsshrun - Running commands via ssh on the server/hosting (if ssh support) specified in the connection file

Məhəmməd 2 Sep 8, 2022
one simple git ssh server (just for learning git over ssh )

wriet one simple git ssh server use golang write one simple git ssh server how to running starting service docker-compose up -d add authorized_keys i

rong fengliang 2 Mar 5, 2022