• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..31-Mar-2021-

README.mdH A D23-Mar-20213.5 KiB8564

gs-sshd.serviceH A D23-Mar-2021552 2219

README.md

1# OpenSSH via Global Socket
2**Connect with ssh to a firewalled host**
3
4**Problem**
5ALICE and BOB are on two different networks and behind a NAT/Firewall. Neither of them can reach the other.
6
7**Objective**
8Allow user bob on host BOB to log-in with ssh as user bob on host ALICE (without tampering with the firewall, NAT or router settings).
9
10**Solution**
11Start sshd and ssh with the *gsocket* tool to (automatically) redirect any ssh-traffic via the Global Socket Relay Network.
12
13
14Let's test the *gsocket* concept. Start *sshd* on ALICE with the *gsocket* tool:
15```ShellSession
16root@ALICE:~# gsocket -s ExampleSecretChangeMe /usr/sbin/sshd -D
17```
18
19The *gsocket* tool hooks all network functions and instead redirects those via the GSRN. The above example redirects the 'listen()'-call and listens on the Global Socket named *ExampleSecretChangeMe* instead of sshd's port 22.
20
21Anyone with the correct secret (*ExampleSecretChangeMe*) can now connect to this sshd from anywhere in the world. The sshd process will _not_ listen on the default SSHD port 22 but instead on a Global Socket named *ExampleSecretChangeMe*. (On Global Socket we use names and not numbers).
22
23From BOB use the *gsocket* tool to log in to ALICE:
24```ShellSession
25bob@BOB:~$ gsocket ssh bob@gsocket
26Enter Secret (or press Enter to generate): ExampleSecretChangeMe
27=Secret         :"ExampleSecretChangeMe"
28=Encryption     : SRP-AES-256-CBC-SHA-End2End (Prime: 4096 bits)
29Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-65-generic x86_64)
30bob@ALICE:~$
31```
32
33Any networking application that connects to a hostname ending in *gsocket* (or *blah.anything.gsocket*) is redirected via the GSRN.
34
35**Installation**
36
37Let's make this change permanent so that ALICE is accessible via the GSRN after a system reboot. This does not tamper with the default *SSHD* service in any way. The *GS-SSHD* runs as an additional service alongside the default *SSHD* service.
38
39Copy the default sshd.service:
40```ShellSession
41root@ALICE:~# cd /etc/systemd/system
42root@ALICE:/etc/systemd/system# cp sshd.service gs-sshd.service
43root@ALICE:/etc/systemd/system# chmod 600 gs-sshd.service
44```
45
46Edit the *gs-sshd.service* file and change this line:
47```EditorConfig
48ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
49```
50to
51```EditorConfig
52ExecStart=gs -s ExampleSecretChangeMe /usr/sbin/sshd -D $SSHD_OPTS
53```
54
55Start, check and enable the newly created service:
56```ShellSession
57root@ALICE:~# systemctl start gs-sshd
58root@ALICE:~# systemctl status gs-sshd
59root@ALICE:~# systemctl enable gs-sshd
60```
61
62Log in to host ALICE from anywhere in the world:
63```ShellSession
64bob@BOB:~$ gsocket ssh bob@gsocket
65Enter Secret (or press Enter to generate): ExampleSecretChangeMe
66=Secret         :"ExampleSecretChangeMe"
67=Encryption     : SRP-AES-256-CBC-SHA-End2End (Prime: 4096 bits)
68Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-65-generic x86_64)
69bob@ALICE:~$
70```
71
72**Notes**
73
74Do not use *ExampleSecretChangeMe*. Generate your own secret using the *-g* option:
75```ShellSession
76$ gsocket -g
77M9BfcYhhG4LujcPTbUcaZN
78```
79
80This example uses double encryption: The GSRN connection is encrypted with OpenSSL's SRP protocol and within that tunnel OpenSSH uses its own encryption. As a consequence the GS-SSHD is only accessible to those who know the secret (*ExampleSecretChangeMe*). E.g. the TCP port and service is hidden. The *-C* option can be used to disable GSRN encryption and rely on OpenSSH's encryption only.
81
82Changing the hostname from *gsocket* to *thc* will connect through TOR first: ssh -> TOR -> GSRN....
83
84Many more gs options are available. See the manual page for gs.
85