github.com/devops-filetransfer/sshego@v7.0.4+incompatible/doc.go

github.com/devops-filetransfer/sshego@v7.0.4+incompatible/doc.go (about)

     1  /*
     2  Package sshego is a golang libary that does secure port
     3  forwarding over ssh.
     4  
     5  Also `gosshtun` is a command line utility included here that
     6  demonstrates use of the library; and may be useful standalone.
     7  
     8  The intent of having a Go library is so that it can be used
     9  to secure (via SSH tunnel) any other traffic that your
    10  Go application would normally have to do over cleartext TCP.
    11  
    12  While you could always run a tunnel as a separate process,
    13  by running the tunnel in process with your application, you
    14  know the tunnel is running when the process is running. It's
    15  just simpler to administer; only one thing to start instead of two.
    16  
    17  Also this is much simpler, and much faster, than using a
    18  virtual private network (VPN). For a speed comparison,
    19  consider [1] where SSH is seen to be at least 2x faster
    20  than OpenVPN.
    21  
    22  [1] http://serverfault.com/questions/653211/ssh-tunneling-is-faster-than-openvpn-could-it-be
    23  
    24  The sshego library typically acts as an ssh client, but also
    25  provides options to support running
    26  an embedded sshd server daemon. Port forwarding
    27  is the most typical use of the client, and
    28  this is the equivalent
    29  of using the standalone `ssh` client program
    30  and giving the `-L` and/or `-R` flags.
    31  
    32  If you only trust the user running your application and
    33  not your entire host, you can further restrict access
    34  by using either DialConfig.Dial() for a direct-tcpip connection, or
    35  by using the unix-domain-socket support.
    36  
    37  For example,
    38  
    39      gosshtun -listen 127.0.0.1:89  -sshd jumpy:55  -remote 10.0.1.5:80 -user alice -key ~/.ssh/id_rsa_nopw
    40  
    41  is equivalent to
    42  
    43      ssh -N -L 89:10.0.1.5:80 alice@jumpy -port 55
    44  
    45  with the addendum that `gosshtun` requires the use of passwordless
    46  private `-key` file, and will never prompt you for a password at the keyboard.
    47  This makes it ideal for embedding inside your application to
    48  secure your (e.g. mysql, postgres, other cleartext) traffic. As
    49  many connections as you need will be multiplexed over the
    50  same ssh tunnel.
    51  
    52  # theory of operation
    53  
    54  We check the sshd server's host key. We prevent MITM attacks
    55  by only allowing new servers if `-new` is given.
    56  
    57  You should give `-new` only once at setup time.
    58  
    59  Then the lack of `-new` can protect you on subsequent runs,
    60  because the server's host key must match what we were
    61  given the first time.
    62  
    63  # options
    64  
    65   $ gosshtun -h
    66   Usage of gosshtun:
    67    -cfg string
    68          path to our config file
    69    -esshd string
    70          (optional) start an in-process embedded sshd (server),
    71          binding this host:port, with both RSA key and 2FA
    72          checking; useful for securing -revfwd connections.
    73    -esshd-host-db string
    74          (only matters if -esshd is also given) path
    75          to database holding sshd persistent state
    76          such as our host key, registered 2FA secrets, etc.
    77          (default "$HOME/.ssh/.sshego.sshd.db")
    78    -key string
    79          private key for sshd login (default "$HOME/.ssh/id_rsa_nopw")
    80    -known-hosts string
    81          path to gosshtun's own known-hosts file (default
    82          "$HOME/.ssh/.sshego.cli.known.hosts")
    83    -listen string
    84          (forward tunnel) We listen on this host:port locally,
    85          securely tunnel that traffic to sshd, then send it
    86          cleartext to -remote. The forward tunnel is active
    87          if and only if -listen is given.  If host starts with
    88          a '/' then we treat it as the path to a unix-domain
    89          socket to listen on, and the port can be omitted.
    90    -new
    91          allow connecting to a new sshd host key, and store it
    92          for future reference. Otherwise prevent MITM attacks by
    93          rejecting unknown hosts.
    94    -quiet
    95          if -quiet is given, we don't log to stdout as each
    96          connection is made. The default is false; we log
    97          each tunneled connection.
    98    -remote string
    99          (forward tunnel) After traversing the secured forward
   100          tunnel, -listen traffic flows in cleartext from the
   101          sshd to this host:port. The foward tunnel is active
   102          only if -listen is given too.  If host starts with
   103          a '/' then we treat it as the path to a unix-domain
   104          socket to forward to, and the port can be omitted.
   105    -revfwd string
   106          (reverse tunnel) The gosshtun application will receive
   107          securely tunneled connections from -revlisten on the
   108          sshd side, and cleartext forward them to this host:port.
   109          For security, it is recommended that this be 127.0.0.1:22,
   110          so that the sshd service on your gosshtun host
   111          authenticates all remotely initiated traffic.
   112          See also the -esshd option which can be used to
   113          secure the -revfwd connection as well.
   114          The reverse tunnel is active only if -revlisten is given
   115          too. (default "127.0.0.1:22")
   116    -revlisten string
   117          (reverse tunnel) The sshd will listen on this host:port,
   118          securely tunnel those connections to the gosshtun application,
   119          whence they will cleartext connect to the -revfwd address.
   120          The reverse tunnel is active if and only if -revlisten is given.
   121    -sshd string
   122          The remote sshd host:port that we establish a secure tunnel to;
   123          our public key must have been already deployed there.
   124    -user string
   125          username for sshd login (default is $USER)
   126    -v    verbose debug mode
   127    -write-config string
   128          (optional) write our config to this path before doing
   129          connections
   130   $
   131  
   132  # example use of the command
   133  
   134      $ gosshtun -listen localhost:8888 -sshd 10.0.1.68:22 -remote 127.0.0.1:80
   135  
   136  means the following two network hops will happen, when a local browser connects to localhost:8888
   137  
   138                             `gosshtun`             `sshd`
   139      local browser ----> localhost:8888 --(a)--> 10.0.1.68:22 --(b)--> 127.0.0.1:80
   140        `host A`             `host A`               `host B`              `host B`
   141  
   142  where (a) takes place inside the previously established ssh tunnel.
   143  
   144  Connection (b) takes place over basic, un-adorned, un-encrypted TCP/IP. Of
   145  course you could always run `gosshtun` again on the remote host to
   146  secure the additional hop as well, but typically -remote is aimed at the 127.0.0.1,
   147  which will be internal to the remote host itself and so needs no encryption.
   148  
   149  */
   150  package sshego