README
¶
SSH-over-WebSocket Relay
ssh-relay is a client/server implementation of Google's SSH-over-WebSocket
Relay, as defined in
https://chromium.googlesource.com/apps/libapps/+/HEAD/nassh/docs/relay-protocol.md.
The primary use case for this is using the Secure Shell Chrome
App and the Secure Shell Chrome Extension, but
the client helper makes it possible to use with ssh's ProxyCommand
functionality.
Features
- NEW: Supports the
corp-relay-v4@google.comversion of the Relay Protocol. - Supports client/server version 2 of the Cookie Protocol.
- Version 1 is supported by the Cookie Server, though this version is deprecated.
- Supports WebSockets for the SSH transport (via
/connect).- The older XHR-based method (via
/readand/write) is NOT supported.
- The older XHR-based method (via
- Configuration is done almost entirely via protobuf messages.
- TLS is now optional for all operations, its options are configurable.
Building
Building of all components is done via Bazel.
Chrome Extension / App Usage
Add something like this to the SSH relay server options:
corp-relay-v4@google.com (New Protocol)
--proxy-host=cookie-server.example.org --proxy-port=8022 --use-ssl --proxy-mode=corp-relay-v4@google.com
corp-relay@google.com (Old Protocol)
--relay-protocol=v2 --report-ack-latency=true --report-connect-attempts=true --proxy-host=cookie-server.example.org --proxy-port=8022 --use-ssl
If you are using a security key (e.g., the Titan Security
Key), add
--ssh-agent=gnubby to the options above.
Components
NOTE: It's possible to host the Cookie Server and the SSH Relay on the same
host, but in that case you'll need a reverse proxy (e.g., nginx) to route
requests accordingly.
Cookie Server
The Cookie Server is responsible for authenticating/authorizing clients, and redirecting them to a suitable SSH Relay.
This component is only used for the first phase of the connection, as such it has minimal requirements and is not latency sensitive.
SSH Relay
The SSH Relay takes a client that's been authorized by the Cookie Server, and relays SSH traffic between the server (talking plain SSH) and the client (talking SSH-over-WebSocket).
The SSH Relay enforces a maximum session lifetime, forcing clients to re-authenticate against the Cookie Server periodically.
Helper
This is a helper binary to relay an ssh(1) session via the ProxyCommand
directive.
Example Usage
~/.ssh/config, /etc/ssh/ssh_config
# Anything under example.org must go via the WebSocket relay.
Host *.example.org
ProxyCommand ssh_relay_helper --config=/etc/ssh-relay-helper/config.txtpb --host='%h' --port='%p'
/etc/ssh-relay-helper/config.txtpb
# DO NOT set host/port in the config proto.
# This can also be passed via --cookie_server_address,
# port defaults to 8022 if unspecified.
cookie_server_address: "cookie-server.example.org:8022"
# Settings for talking to the Cookie Server.
cookie_server_transport {
tls_config {
cert_file: "/etc/ssh-relay-helper/client.crt"
key_file: "/etc/ssh-relay-helper/client.key"
root_ca_certs: "/etc/ssh-relay-helper/ca.crt"
}
}
See the testdata directory for additional configuration examples.
Bugs / Feature Requests
All bugs/feature requests should be done via GitHub, pull requests are welcome.
Disclaimer
This project is NOT affiliated or endorsed by Google.
All code was written based on Google's public documentation and minimally tested using the Secure Shell Chrome App and the Secure Shell Chrome Extension.
Directories
¶
| Path | Synopsis |
|---|---|
|
cookie-server
|
|
|
backend/example
command
example implements a simple gRPC server for authorizing /cookie requests.
|
example implements a simple gRPC server for authorizing /cookie requests. |
|
cmd
command
ssh-relay-cookie-server is the main Cookie Server binary.
|
ssh-relay-cookie-server is the main Cookie Server binary. |
|
request/cookie
Package cookie represents a /cookie request to the Cookie Server.
|
Package cookie represents a /cookie request to the Cookie Server. |
|
request/cookie/handler
Package handler implements an HTTP handler for /cookie requests.
|
Package handler implements an HTTP handler for /cookie requests. |
|
runner
Package runner implements the main Cookie Server logic, as defined in https://chromium.googlesource.com/apps/libapps/+/HEAD/nassh/docs/relay-protocol.md.
|
Package runner implements the main Cookie Server logic, as defined in https://chromium.googlesource.com/apps/libapps/+/HEAD/nassh/docs/relay-protocol.md. |
|
Package duration provides functionality around time.Duration.
|
Package duration provides functionality around time.Duration. |
|
helper
|
|
|
agent
Package agent provides functionality to authenticate against the Cookie Server and set up an SSH-over-WebSocket Relay session.
|
Package agent provides functionality to authenticate against the Cookie Server and set up an SSH-over-WebSocket Relay session. |
|
cmd
command
ssh-relay-helper is an SSH proxy command compatible with the Google SSH-over-WebSocket Relay protocol.
|
ssh-relay-helper is an SSH proxy command compatible with the Google SSH-over-WebSocket Relay protocol. |
|
session
Package session defines an SSH-over-WebSocket Relay client session.
|
Package session defines an SSH-over-WebSocket Relay client session. |
|
session/cookie
Package cookie implements functionality for interacting with the Cookie Server, see https://chromium.googlesource.com/apps/libapps/+/HEAD/nassh/docs/relay-protocol.md#corp-relay-cookie.
|
Package cookie implements functionality for interacting with the Cookie Server, see https://chromium.googlesource.com/apps/libapps/+/HEAD/nassh/docs/relay-protocol.md#corp-relay-cookie. |
|
session/corprelay
Package corprelay implements a corp-relay@google.com SSH-over-WebSocket Relay client session.
|
Package corprelay implements a corp-relay@google.com SSH-over-WebSocket Relay client session. |
|
session/corprelayv4
Package corprelayv4 implements a corp-relay-v4@google.com SSH-over-WebSocket Relay client session.
|
Package corprelayv4 implements a corp-relay-v4@google.com SSH-over-WebSocket Relay client session. |
|
Package http provides functionality to create http Clients/Servers.
|
Package http provides functionality to create http Clients/Servers. |
|
proto
|
|
|
relay
|
|
|
cmd
command
ssh-relay is an extensible SSH-over-WebSocket relay.
|
ssh-relay is an extensible SSH-over-WebSocket relay. |
|
request
Package request implements common functionality to all SSH Relay HTTP requests.
|
Package request implements common functionality to all SSH Relay HTTP requests. |
|
request/corprelay/connect
Package connect represents a corp-relay@google.com /connect request to the SSH Relay.
|
Package connect represents a corp-relay@google.com /connect request to the SSH Relay. |
|
request/corprelay/connect/handler
Package handler implements an HTTP handler for corp-relay@google.com /connect requests.
|
Package handler implements an HTTP handler for corp-relay@google.com /connect requests. |
|
request/corprelay/proxy
Package proxy represents a corp-relay@google.com /proxy request to the SSH Relay.
|
Package proxy represents a corp-relay@google.com /proxy request to the SSH Relay. |
|
runner
Package runner implements the main SSH-over-WebSocket Relay logic, as defined in https://chromium.googlesource.com/apps/libapps/+/HEAD/nassh/docs/relay-protocol.md.
|
Package runner implements the main SSH-over-WebSocket Relay logic, as defined in https://chromium.googlesource.com/apps/libapps/+/HEAD/nassh/docs/relay-protocol.md. |
|
session/manager
Package manager implements an SSH-over-WebSocket Session manager for the SSH Relay.
|
Package manager implements an SSH-over-WebSocket Session manager for the SSH Relay. |
|
Package request implements common functionality to all HTTP requests.
|
Package request implements common functionality to all HTTP requests. |
|
Package response implements a JSON response for client redirection, see https://chromium.googlesource.com/apps/libapps/+/HEAD/nassh/docs/relay-protocol.md#corp-relay-method.
|
Package response implements a JSON response for client redirection, see https://chromium.googlesource.com/apps/libapps/+/HEAD/nassh/docs/relay-protocol.md#corp-relay-method. |
|
Package session defines an SSH Relay protocol implementation.
|
Package session defines an SSH Relay protocol implementation. |
|
corprelay
Package corprelay implements the corp-relay@google.com protocol, see https://chromium.googlesource.com/apps/libapps/+/HEAD/nassh/docs/relay-protocol.md#corp-relay.
|
Package corprelay implements the corp-relay@google.com protocol, see https://chromium.googlesource.com/apps/libapps/+/HEAD/nassh/docs/relay-protocol.md#corp-relay. |
|
corprelayv4
Package corprelayv4 implements the corp-relay-v4@google.com protocol, see https://chromium.googlesource.com/apps/libapps/+/HEAD/nassh/docs/relay-protocol.md#corp-relay-v4.
|
Package corprelayv4 implements the corp-relay-v4@google.com protocol, see https://chromium.googlesource.com/apps/libapps/+/HEAD/nassh/docs/relay-protocol.md#corp-relay-v4. |
|
corprelayv4/command
Package command defines the various corp-relay-v4@google.com commands.
|
Package command defines the various corp-relay-v4@google.com commands. |
|
Package tls provides helpers around the crypto/tls package.
|
Package tls provides helpers around the crypto/tls package. |
Click to show internal directories.
Click to hide internal directories.