/tstproxy

TCP Proxy via SSH Tunnelling

Primary LanguagePython

TSTproxy - TCP Proxy via SSH Tunnelling

This program sets up and returns a TCP connection to a given address and port; a typical use would be a connection to an SSH server to be used by an SSH client.

In the trivial case the host is directly reachable and a direct connection is made. More commonly the host cannot be directly reached and one or more proxies must be set up. TSTproxy starts SSH clients to act as the necessary proxies based on its configuration file.

Like ProxyJump or ssh -J, TSTproxy is careful not to forward your SSH agent to the intermediate hosts. This is an important security benefit because anybody with root access on those intermediate hosts can send requests to your agent to use your key. (ssh-add -c helps with this, but isn't a perfect solution.)

TSTproxy differs from ProxyJump and similar solutions in two ways:

  1. The ProxyJump configuration is different depending on what host you're starting at, and so must be maintained separately on hosts on different parts of the internetwork. TSTproxy uses the same configuration on all hosts: it generates a network map and, based on your current location in that map, dynamically generates the list of intermediate hosts.

  2. TSTproxy sets up a single forwarding process between any host (initial or intermediate) and any destination using dynamic port forwarding (DynamicForward or ssh -D) so that additional connections through the proxy save time by not having to set up further ssh client sessions.

Security Notes

At this time the dynamic forwarding proxy listen socket is TCP address on localhost, which means that anybody on that host can initiate a TCP connection to arbitrary hosts reachable from further intermediate hosts. Ideally it would instead listen on a Unix domain socket so that only the owner who initiated the connection could use it. Solutions to this are being investigated.