SSH no ports provides ssh to a remote Linux device with out that device having any ports open

Related tags

Templates sshnoports
Overview

Ssh! No ports

ssh no ports provides a way to ssh to a remote linux host/device without that device having any open ports (not even 22) on external interfaces. All network connectivity is out bound and there is no need to know the IP address the device has been given. As long as the device has an IP address, DNS and Internet access, you will be able to connect to it.

Quick demo

asciicast

There are two binaries:-

sshnpd : The daemon that runs on the remote device

sshnp : The client that sets up a connection to the device which you can then ssh to via your localhost interface

To get going you just need two Atsigns and their .atKeys files and the binaries (from latest release). It's also possible to run from the source here using dart run. Once you have the Atsigns (free or paid Atsigns from atsign.com), drop the binaries in place on each machine and put the keys in ~/.atsign/keys directory. You will need a device Atsign and a manager Atsign, but each device can also have a unique device name using the --device argument.

Once in place you can start up the daemon first on the remote device. Remember to start the daemon on start up using rc.local script or similar.

./sshnpd --atsign <@your_devices_atsign> --manager <@your_manager_atsign> \
--device  -u

Once that has started up you can run the client code from another machine.

./sshnp --from <@your_manager_atsign> --to <@your_devices_atsign>  \
--host   -l --local-port --device 

The --host specifies a DNS name of the openssh server of the client machine that the remote device can connect to. If everything goes to plan the client will complete and tell you how to connect to the remote host for example.

ssh -p 3456 [email protected]

When you run this you will be connect to the remote machine via a reverse ssh tunnel from the remote device. Which means you can now turn off ssh from listening all all interfaces instead have ssh listen just on 127.0.0.1.

That is easily done by editing /etc/ssh/sshd_config

#Port 22
#AddressFamily any
ListenAddress 127.0.0.1
#ListenAddress ::

And restarting the ssh daemon. Please make sure you start the sshnpd on startup and reboot and check.. As this is beta code it is suggested to wrap the daemon in a shell script or have sysctld make sure it is running.

My preference whilst testing was to run the daemon in TMUX so it is easy to see the logs (-v).

Thoughts/bugs/contributions via PR all very welcome!

Usage

sshnpd (daemon)

Run the daemon binary file or the dart file:

./sshnpd <args|flags>
dart run bin/sshnpd.dart <args|flags>
Argument Abbreviation Mandatory Description Default
--keyFile -k false Sending atSign's keyFile if not in ~/.atsign/keys/
--atsign -a true atSign of this device
--manager -m true Manager's atSign, that this device will accept triggers from
--device -d false Send a trigger to this device, allows multiple devices share an atSign "default"
Flags Abbreviation Description
--[no-]sshpublickey -s Update authorized_keys to include public key from sshnp
--[no-]username -u Send username to the manager to allow sshnp to display username in command line
--[no-]verbose -v More logging

sshnp (client)

Run the binary file or the dart file:

./sshnp <args|flags>
dart run bin/sshnp.dart <args|flags>
Argument Abbreviation Mandatory Description Default
--key-file -k false Sending atSign's atKeys file if not in ~/.atsign/keys/
--from -f true Sending atSign
--to -t true Send a notification to this atSign
--device -d false Send a notification to this device "default"
--host -h true FQDN Hostname e.g. example.com or IP address to connect back to
--port -p false TCP port to connect back to 22
--local-port -l false Reverse ssh port to listen on, on your local machine 2222
--ssh-public-key -s false Public key file from ~/.ssh to be appended to authorized_hosts on the remote device false
Flags Abbreviation Description
--[no-]verbose -v More logging

Using Ngrok to avoid open ports at the admin end

The instructions above work for a system where the person doing the admin of the machine connected to by sshnp is able to run an SSH daemon that's open to the Internet. But that's often not practical for many of the same reasons why the device can't/won't be reachable directly with an open port. To get around this issue it's possible to use the Ngrok service as a proxy for the inbound SSH connection.

Get an Ngrok account

From their signup page

Add your SSH public key

From the system you're using for admin:

cat ~/.ssh/id_rsa.pub

Then copy the key and paste it into the New SSH Key box on the SSH Public Keys page.

Configure a local SSH server

Such as OpenSSH. It can run on any port, and only needs to be bound to localhost. The following example illustrates the use of an SSH server bound to port 2222. So the example /etc/ssh/sshd_config above becomes:

Port 2222
#AddressFamily any
ListenAddress 127.0.0.1
#ListenAddress ::

Start a reverse tunnel to Ngrok

It may be useful to do this in a screen or tmux session as another terminal will be needed for sshnp later.

ssh -R 0:localhost:2222 tunnel.us.ngrok.com tcp

This will initialise a connection showing something like:

Allocated port 12357 for remote forward to localhost:2222

ngrok (via SSH) (Ctrl+C to quit)

Account     Demo McDemoname (Plan: Free)
Region      us
Forwarding  tcp://6.tcp.ngrok.io:12345

Then invoke sshnp to connect via Ngrok

Command line form:

sshnp -f <@your_manager_atsign> -t <@your_devices_atsign> \
--device  -h 6.tcp.ngrok.io -p 12345 -l 3456

NB: Ngrok is likely to provide a different tunnel server and port each time. So substitute the values from the actual connection for -h 6.tcp.ngrok.io and -p 12345

E.g.

sshnp -f @happyadmin -t @moresecurething \
--device demothing -h 4.tcp.ngrok.io -p 10646 -l 3456

The tunnel inside a tunnel will now be ready

Connect to it with something like:

ssh -p 3456 -i ~/.ssh/key_for_device.key [email protected]

Where:

  • -p 3456 corresponds to -l 3456 from the sshnp invocation
  • -i ~/.ssh/key_for_device.key is presenting a private key that's trusted by the device in its ~/.ssh/authorized_keys
  • deviceuser is the username for the device

Tunnels in tunnels, an illustration

First a tunnel from Ngrok back to admin_PC:

ssh -R 0:localhost:2222 tunnel.us.ngrok.com tcp

                    admin_PC                Ngrok
                    2222<-------------------12345


                    <----------------------------

Then a tunnel initiated by sshnp from the device, through Ngrok to the admin_PC:

sshnp -f @happyadmin -t @moresecurething \
--device demothing -h 0.tcp.ngrok.io -p 12345 -l 3456

                    admin_PC                Ngrok
          admin_PC  2222<-------------------12345    Device
          3456<----/‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾\-------22

          <------------------------------------------------
                    <----------------------------

Finally an SSH connection through those tunnels from the admin_PC to the device:

ssh -p 3456 -i ~/.ssh/key_for_device.key [email protected]

                    admin_PC                Ngrok
          admin_PC  2222<-------------------12345    Device
SSH------>3456<----/‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾\-------22-------->SSHD
          \______________________________________________/

          <------------------------------------------------
                    <----------------------------

Of course that final SSH connection can also be used as a tunnel...

Who is this tool for?

System Admins
Network Admins
IoT Manufacturers
Anyone running ssh where they don't want it to be open to a hostile network!

Maintainers

Created by Atsign

Original code by @cconstab

Comments
  • Wrong MAC OS Binary in #v1.1.0 Release

    Wrong MAC OS Binary in #v1.1.0 Release

    Describe the bug sshnp binary is of Mach-O 64-bit executable arm64 architecture in both sshnp_OSX_arm_64.tar.gz and sshnp_OSX_x86_64.tar.gz files.

    To Reproduce

    1. Download both archives.
    2. Extract both.
    3. Run file sshnp/sshnp

    Expected behavior sshnp_OSX_x86_64.tar.gz should contain the correct x86_64 architecture.

    Screenshots Please see a short video demonstrating the issue attached. https://user-images.githubusercontent.com/1979797/172198065-84c93e75-72e9-4301-a17a-6389b29a68b0.mov

    Smartphone (please complete the following information):

    • Device: MAC

    • OS: MAC OS

    bug 
    opened by grifonas 3
  • docs: usage section

    docs: usage section

    - What I did Add usage instructions for sshnpd and sshnp

    - How I did it Edit README.md (see changes)

    - How to verify it Daemon instructions (sshnpd) image

    Client instructions (sshnp) image

    opened by JeremyTubongbanua 2
  • Daemon shouldn't crash when asked to connect to an address that doesn't exist

    Daemon shouldn't crash when asked to connect to an address that doesn't exist

    Describe the bug

    Daemon crashes if asked to connect to a name that can't be found:

    WARNING|2022-05-09 13:13:32.752313| sshnpd |ssh session started from: @cpswan session: e7a8f58b-3e99-4675-8aff-96b1533f8903
    
    Unhandled exception:
    SocketException: Failed host lookup: 'bad.name.net' (OS Error: Name or service not known, errno = -2)
    #0      _NativeSocket.startConnect (dart:io-patch/socket_patch.dart:682)
    #1      _NativeSocket.connect (dart:io-patch/socket_patch.dart:948)
    #2      _RawSocket.connect (dart:io-patch/socket_patch.dart:1805)
    #3      RawSocket.connect (dart:io-patch/socket_patch.dart:21)
    #4      Socket._connect (dart:io-patch/socket_patch.dart:2028)
    #5      Socket.connect (dart:io/socket.dart:776)
    #6      connectNativeSocket (package:dartssh2/src/socket/ssh_socket_io.dart:12)
    #7      SSHSocket.connect (package:dartssh2/src/socket/ssh_socket.dart:13)
    #8      sshCallback (file:///home/ubuntu/sshnoports/bin/sshnpd.dart:269)
    <asynchronous suspension>
    

    To Reproduce Steps to reproduce the behavior:

    1. First I made a typo in the host name I wanted to connect to ./sshnp/sshnp --from @cpswan --to @bareindoornetball --device demovm -h bad.name.net
    2. Then I realised that it should have been good.name.com
    3. But by then the daemon had crashed.

    Expected behavior

    Daemon catches the exception and stays up.

    bug 
    opened by cpswan 2
  • Confusing error message `Unable to determine Host to connect to: please use --local-ssh-port`

    Confusing error message `Unable to determine Host to connect to: please use --local-ssh-port`

    Describe the bug

    Unable to determine Host to connect to: please use --local-ssh-port and specify the DNS/IP address with --host

    Where --local-ssh-port isn't even listed as an option, and --host isn't marked as mandatory.

    To Reproduce Steps to reproduce the behavior:

    1. First I run ./sshnp with no args to get help and see:
    -k, --key-file            Sending @sign's atKeys file if not in ~/.atsign/keys/
    -f, --from (mandatory)    Sending @sign
    -t, --to (mandatory)      Send a trigger to this @sign
    -d, --device              Send a trigger to this device
                              (defaults to "default")
    -h, --host                DNS Hostname or IP address to connect back to
    -p, --port                TCP port to connect back to
                              (defaults to "22")
    -l, --local-port          Reverse ssh port to listen on
                              (defaults to "2222")
    -s, --ssh-public-key      Public key file from ~/.ssh to be apended to authorized_hosts on the remote device
                              (defaults to "false")
    -v, --[no-]verbose        More logging
    FormatException: Option from is mandatory.
    
    1. Then I construct a (beyond) minimal command line ./sshnp --from @cpswan --to @bareindoornetball --device demovm which has both of the mandatory flags and a device identifier.
    2. And then:
    -k, --key-file            Sending @sign's atKeys file if not in ~/.atsign/keys/
    -f, --from (mandatory)    Sending @sign
    -t, --to (mandatory)      Send a trigger to this @sign
    -d, --device              Send a trigger to this device
                              (defaults to "default")
    -h, --host                DNS Hostname or IP address to connect back to
    -p, --port                TCP port to connect back to
                              (defaults to "22")
    -l, --local-port          Reverse ssh port to listen on
                              (defaults to "2222")
    -s, --ssh-public-key      Public key file from ~/.ssh to be apended to authorized_hosts on the remote device
                              (defaults to "false")
    -v, --[no-]verbose        More logging
    
    Unable to determine Host to connect to: please use --local-ssh-port and specify the DNS/IP address with --host
    

    Expected behavior

    If --host is mandatory then say so. Don't reference a --local-ssh-port in an error message if it's not listed in the help. Provide examples of minimal command lines, and the use of options.

    bug 
    opened by cpswan 2
  • Failed to fetch encryption public keys leads to failure in sshnoports server

    Failed to fetch encryption public keys leads to failure in sshnoports server

    Describe the bug

    Experiencing the below issue when starting sshnp server:

    Unhandled exception:
    Exception: Failed to fetch the current atSign public key - public:[email protected]_manager
    #0      AtClientImpl.get (package:at_client/src/client/at_client_impl.dart:255:7)
    <asynchronous suspension>
    #1      main (file:///C:/Users/colin/GitHub/@foundation/sshnoports/bin/sshnp.dart:207:26)
    <asynchronous suspension>
    

    Additional context This is inline with the conversation in engg. chat with threads group on Jul 29 2022.

    3 SP bug 
    opened by kalluriramkumar 1
  • fix: changed eol to LF (Unix style) for systemd service file

    fix: changed eol to LF (Unix style) for systemd service file

    - What I did Change format of sshnpd.service to Unix style (LF) from windows style (CRLF)

    - How I did it VS Code - How to verify it Checked in editor - Description for the changelog fix: changed eol to LF (Unix style) for systemd service file

    opened by cconstab 0
  • feat: Added sshnpd systemd script and README.md file

    feat: Added sshnpd systemd script and README.md file

    - What I did Added some details around how to have sshnpd run as a systemd service

    - How I did it Created a .service file and README.md

    - How to verify it Checked everything works on my test rig 9it does)

    - Description for the changelog Added sshnpd systemd script and README.md file

    opened by cconstab 0
  • Usernames

    Usernames

    - What I did Added the namespace to the the username key - How I did it

    - How to verify it ran tests locally - Description for the changelog

    opened by cconstab 0
  • Add spaces to list so that it doesn't collapse onto a single line

    Add spaces to list so that it doesn't collapse onto a single line

    - What I did

    Terminated list lines with double spaces

    - Description for the changelog

    Add spaces to list so that it doesn't collapse onto a single line

    opened by cpswan 0
  • Decrypt notification

    Decrypt notification

    Removed the hacky way to decrypt notification values

    Used the 'shouldDecrypt` optional parametere=

    - Tested and tested again

    - Description for the changelog

    opened by cconstab 0
  • Send ACK notification from sshnpd to sshnp

    Send ACK notification from sshnpd to sshnp

    Is your feature request related to a problem? Please describe. If sshnpd is not running at the other end, sshnp does not know that that is the case, and completes apparently successfully

    Describe the solution you'd like I'd like sshnp to receive a notification from sshnpd that it has received the request and perhaps a second notification from sshnpd saying that it has acted on the request (and if it couldn't, why not)

    enhancement 
    opened by gkc 1
  • If authorized_keys does not exist then the -s function does not work..

    If authorized_keys does not exist then the -s function does not work..

    Describe the bug If you want to send your public key to the server using -s then it only works if the authorized_keys file is already in place.

    To Reproduce Steps to reproduce the behavior:

    1. First I deleted authorized_keys file on the sever in .ssh
    2. Then I used the -s option on the client but are still prompted for a password
    3. Checking the log you see the issue
    4. touching the file then re running everything works as it should

    Expected behavior If the file does not exist then the server should create it

    logs

    INFO|2022-05-21 20:12:05.567675| sshnpd |ssh Public Key recieved from @colin notification id : f7ad4dc8-f0da-4484-8b09-f5ac407caa82 
    
    SEVERE|2022-05-21 20:12:05.569308| sshnpd |Error writting to pi .ssh/authorized_keys file : FileSystemException: Cannot open file, path = '/home/pi/.ssh/authorized_keys' (OS Error: No such file or directory, errno = 2)      
    
     INFO|2022-05-21 20:12:07.864150| sshnpd |ssh callback request recieved from @colin notification id : 763452cc-45e7-47bc-99a9-5ec6d7ed38d1
    
    

    Smartphone (please complete the following information):

    • Linux PiOS
    bug 
    opened by cconstab 1
  • Document how binaries are created

    Document how binaries are created

    Describe the solution you'd like Add a section to CONTRIBUTING.md showing how to compile the binaries.

    Describe alternatives you've considered Provide a GitHub Actions workflow that automates the binary creation process for new releases.

    enhancement 
    opened by cpswan 1
Releases(v1.1.3)
Owner
The Atsign Foundation
Now for some internet optimism
The Atsign Foundation
Flutter remote control - The main use of LongPressDraggable and DragTarget to achieve the universal remote control interaction effect.

Flutter remote control - The main use of LongPressDraggable and DragTarget to achieve the universal remote control interaction effect.

唯鹿 160 Jul 22, 2022
"FlutterMoneyFormatter" is a Flutter extension to formatting various types of currencies according to the characteristics you like, without having to be tied to any localization.

FlutterMoneyFormatter FlutterMoneyFormatter is a Flutter extension to formatting various types of currencies according to the characteristics you like

Fadhly Permata 80 Sep 13, 2022
A weather app that allows the user to find out the live weather data of any city.

Clima ☁ My Goal My objective of completing this project was to learn about asynchronous programming in Dart, how to carry out time consuming tasks suc

Ginny (Khue) Dang 1 May 6, 2022
Backs up Android devices on Linux, macOS and Windows. Backup your device without vendor lock-ins, using insecure software or root.

Backs up Android devices on Linux, macOS and Windows. Backup your device without vendor lock-ins, using insecure software or root. Supports encryption and compression out of the box.

null 111 Sep 17, 2022
A very easy-to-use navigation tool/widget for having iOS 13 style stacks.

cupertino_stackview A very easy-to-use navigation tool/widget for having iOS 13 style stacks. It is highly recommended to read the documentation and r

AliYigitBireroglu 46 Aug 7, 2022
A highly customisable and simple widget for having iOS 13 style tab bars.

cupertino_tabbar A highly customisable and simple widget for having iOS 13 style tab bars. It is highly recommended to read the documentation and run

AliYigitBireroglu 98 Sep 19, 2022
A simple widget for having UI elements that respond to taps with a spring animation.

spring_button A simple widget for having child widgets that respond to gestures with a spring animation. Media | Description | How-to-Use Media Watch

AliYigitBireroglu 72 Sep 15, 2022
An Android Launcher (having Ubuntu-Gnome flavour) build with Flutter

Ubuntu Launcher Introduction Ubuntu launcher is an custom android launcher build with Flutter with a Ubuntu-Gnome look. Though flutter is a cross plat

5hifaT 241 Sep 17, 2022
Binding and high-level wrapper on top of libssh - The SSH library!

Dart Binding to libssh version 0.9.6 binding and high-level wrapper on top of libssh - The SSH library! libssh is a multiplatform C library implementi

Isaque Neves 2 Dec 20, 2021
SSH and SFTP client for Flutter

ssh SSH and SFTP client for Flutter. Wraps iOS library NMSSH and Android library JSch. Installation Add ssh as a dependency in your pubspec.yaml file.

sha 104 Jun 27, 2022
A VLC remote control written with Flutter

VLC Remote A VLC remote control written with Flutter. Initial Setup Guides The first time you start VLC Remote, it will provide a guide to setting up

Jonny Buchanan 64 May 28, 2022
Dart package to retrieve Transmission data from remote instance

transmission Dart package to talk to a Transmission torrent instance, for a flutter package including UI widget please check transmission Getting Star

L.I.S.A. 5 Aug 3, 2021
Flutter remote controller for Samsung TV

Flutter remote controller for Smart TVs models (2016 and up) A dart implementation for samsungtv by Christian Bromann Inspired from Universal Remote Y

Amr Elshamy 58 Sep 20, 2022
Presentation-Remote-PC - Manage your presentation from your smart phone - Phone Client

Presentation-Remote-PC Manage your presentation from your smart phone - Phone Cl

Hasan Ragab Eltantawy 1 Jan 25, 2022
Rv-app - Flutter Remote Viewing Assistant App

Flutter Remote Viewing Assistant App screenshots web version https://rv-assistan

Amir 1 Jan 29, 2022
Remote Flutter/Dart Compiler for CloudRun and Docker

flutter_remote_compiler Running the Application Locally Run aqueduct serve from this directory to run the application. For running within an IDE, run

Rody Davis 33 Oct 5, 2020
Morphing Coffee 0 Jan 27, 2022
Trying out Flutter for desktop Web app development as an alternative to SPA frameworks (such as React and Angular) by recreating one of the pages of an existing CV Management web app

HTML Renderer Demo CanvasKit Renderer Demo Reddit discussion This repo contains a PoC of using Flutter as a traditional SPA framework for creating a d

Maxim Saplin 19 Sep 13, 2022