We are new to Apache MINA SSH server and currently working on reverse SSH
Here are the steps followed
SSHD server started on a port, server implements StreamIOHandler
Upon receiving a connection from the Device, we have IOSession, InputStream and OutputStream
Questions:
How to use this IoSession, to write the data back to the device.
Can we get ClientChannel/ClientSession associated with the IoSession. (or) these only applies, when the connection is initiated from the client to server not the otherway?
What are IOInputStream and IOOuputStream classes
It would be of great help if someone share some programs
Thanks
Vikram
It seems that you are implementing NETCONF protocol over SSH.
When the NETCONF is used over SSH, it is implemented as "netconf" channel.
So I assume you should implement an SSH subsystem in the MINA, similarly to the SftpSubsystem class, which implements Command interface
public interface Command {
void setInputStream(InputStream in);
void setOutputStream(OutputStream out);
...
}
Using setOutputStream you get an OutputStream. Whatever you write to the stream is sent to the (SSH) client.
Related
I have a raspi machine behind NAT in my room, and I want to access it from the interenet using the URL.I found this article.
https://developers.cloudflare.com/cloudflare-one/tutorials/ssh
However, it required me to run the cloudflared program on the connecting client. I understand that this is for the security purpose. Does it possible to make the connect without running the cloudflared program on the client machine.
A follow-up question would be is it possible to ssh into ipv6 machine that using the same technique.
There are various options when it comes to connecting to a machine running on a private network:
Running cloudflared on the client (which you already found)
Installing the WARP client on the user side, then using cloudflared on the server side to expose the service securely. Finally, route the network traffic for the private network on the tunnel via WARP. This approach is described in a tutorial here
Cloudflare started also supporting in browser rendering of an SSH session. I have wrote a tutorial describing how to set it up here.
Approach (3) would do away with the need of running a client since it relies on a simple browser.
I am learning ssh.
Assuming I try
userA#pc_A:~$ ssh userB#pc_B
which one is the server for ssh? pc_A? or pc_B?
And in the server machine, is only the sshd working at the communication above? I am confused when I read some different instructions. Thank you very much.
This is basic client/server terminology. You'll encounter this over and over with TCP/IP networking:
A server is a process that provides a service. It waits for clients to connect to it.
A client is a process that wants to use a service. It creates connections to a server.
userA#pc_A:~$ ssh userB#pc_B
In this case, the ssh program that you're running is a client. It will make a connection to a server running on host pc_B. That server may be an instance of the sshd program, but there are other ssh server programs that people can use.
If there is an sshd process running on pc_A, it's not involved with connections from an ssh client on A to a server on B.
The terms "sender" and "receiver" aren't really useful here. Once the client makes a connection to the server, the client and the server will communicate in both directions through the connection. So the client sends data which the server receives, and the server sends data which the client receives.
People will use the term "server" to refer to either the program (sshd) or the computer (pc_B) which provides the service. This can be confusing, and you will sometimes have to figure out by context whether they're talking about a computer or a program.
I have a machine that I want to setup an SFTP connection to. The SSH server is running properly, I can ssh into it from my client computer, and I can SFTP in from my smartphone. I'm just a bit confused on how to properly configure the ~/.netrc file. The server computer is running Ubuntu, the client computer is running OSX.
Here are my main requirements for what I'm trying to configure:
Alias. I don't have a DNS name for the computer I'm connecting to, just the IP address. ~/.ssh/config is great because it basically assigns aliases to connections, and then specifies the hostname, port, etc. Looking at the man page for ~/.netrc, I don't see a way to do this.
Private Key. This SFTP connection is validated using a private key. I don't see anything in the ~/.netrc man page about how to specify the key.
If ~/.netrc is the wrong way to go, what alternatives would be better?
ssh-agent has a protocol whereby data can be sent to it to get signed by a particular private key:
http://api.libssh.org/rfc/PROTOCOL.agent
In Linux, with ssh-agent, you'd open a Unix domain socket to SSH_AUTH_SOCK and send the packets to that. Windows, however, doesn't have a Unix domain socket.
Any ideas?
Thanks!
The communication between putty and pageant has been done on the shared memory by using WIN32 APIs. I had implemented that protocol in Java with JNA. If you are interested in its protocol and want to learn how it runs on Windows, the following file may be useful,
https://github.com/ymnk/jsch-agent-proxy/blob/master/jsch-agent-proxy-pageant/src/main/java/com/jcraft/jsch/agentproxy/connector/PageantConnector.java
If you're implementing the protocol in C, you might reference the canonical PuTTY implementation. If you're implementing it in Python, the paramiko project implements the Putty Pageant protocol.
Best I understand, the protocol is the same, but the transport is different, using shared memory rather than sockets.
Not sure if i'm really up-to-date, but i'm looking in a way to convert my existing project to use HTML5 websockets.
Here's my situation :
- Client runs a modified java vnc applet with extra parameter (CONNECT).
- Modified stunnel listenin on webserver (with both public, private IP) port 443
- Client connects to 443 and sends (prior to RFB) a HTTP packet like :
'CONNECT 10.0.0.1:4001'
- Stunnel opens a new stream to 10.0.0.1:4001 using SSL wrapper
- VNC Server (#10.0.0.1:4001) responds, connection is established.
Now I want to get rid of the Java Applet and switch to Websocket using NoVNC.
I want to be able to :
- Open a single port on the webserver (HTTPS preferably)
- Have client connect using HTML5 only (no more java applet)
I cannot change :
- VNCServer will still be listening on private LAN only.
- VNCServer will still listen to a bunch of ports, each corresponding to
a virtual server
Questions are :
- How to give NoVNC the notion of target HOST:PORT ?
- Is stunnel still be usable ? Or should I change to websocket proxy ?
If anyone has a starting point, i'd really appreciate !
Disclaimer: I created noVNC so my answer may be heavily biased ;-)
I'll answer you second question first:
stunnel cannot be used directly by noVNC. The issue is that the WebSockets protocol has an HTTP-like initial handshake and the messages are framed. In addition, until binary payload support is added to WebSockets, the payload is base64 encoded by the websockets proxy (websockify). Adding the necessary support to stunnel would be non-trivial but certainly doable. In fact noVNC issue #37 is an aspirational feature to add this support to stunnel.
First question:
noVNC already has a concept of HOST:PORT via the RFB.connect(host, port, password) method. The file vnc_auto.html at the top level shows how to get noVNC to automatically connect on page load based on the host, port and password specified as URL query string parameters.
However, I think what you are really asking is how do you get noVNC to connect to alternate VNC server ports on the backend. This problem is not directly addressed by noVNC and websockify. There are several ways to solve this and it usually involves an out-of-band setup/authorization mechanism so that the proxy can't be used to launch attacks by arbitrary hosts. For example, at my company we have a web based management framework that integrates noVNC and when the user wants to connect to the console, an authenticated AJAX call is used to configure the proxy for that particular user and the system they want to connect to. Our web management interface is internal only.
Ganeti Web Manager uses a similar model and the source is available. They have a fork of VNCAuthProxy that has WebSockets support. They use a control channel from the web interface to the VNCAuthProxy to setup a temporary password associated with a specific VNC server host:port.
Also OpenStack (Nova) integrates noVNC uses a similar out-of-band token based model to allow access with their nova-vncproxy.
Some links:
Ganeti Web Manager
Wiki page about how noVNC works in Ganeti Web Manager
Ganeti Web Manager sources
Ganeti Web Manager VNCAUthProxy sources
Using noVNC in Nova/OpenStack
OpenStack fork of noVNC
Old nova-vnc-proxy code
Current nova vnc proxy code