Port pre-assignment #146
Port pre-assignment #146
Conversation
|
This is linked to issue #144 |
|
This time lint says |
|
Hrm, it looks like something changed with GitHub actions. Let me look into that... |
|
I've went ahead and fixed the actions, just rebase your PR onto the latest master and you should be good to go! |
|
Ok, so I have reimplemented it completely. certHolder is now a map and I reworked CheckPort and GetRandomPortInRange so that it makes much more sense now. Also, I am using permitlisten now and also support multiple possible ports that can be allocated |
|
Hey @santomet! Mind rebasing on top of master? |
utils/utils.go
Outdated
| @@ -262,7 +292,7 @@ func WatchCerts() { | |||
| // loadCerts loads public keys from the keys directory into a slice that is used | |||
| // authenticating a user. | |||
| func loadCerts() { | |||
| tmpCertHolder := make([]ssh.PublicKey, 0) | |||
| tmpCertHolder := make(map[string][]string) | |||
There was a problem hiding this comment.
This should still be publickey. We want to compare them byte by byte.
There was a problem hiding this comment.
This still works as expected, the key in Extensions["pubKey"] is string anyway! Also, we need something comparable if we want a map
There was a problem hiding this comment.
You can still do a reference of the publickey string to a ssh.PublicKey object!
There was a problem hiding this comment.
I actually like the use of the struct retaining the public key and options. Then we can preload the options into a map[string]string to allow them for easy access (and therefore we can implement more of them easily!)
There was a problem hiding this comment.
Good, let's make options as map[string][]string because you can specify multiple permitlistens. We will do a poor man's multimap with this. We can also put comment into the structure for future use.
Ad ssh.PublicKey OK I can store that but not sure if there is any real reason
…as map[key]=[]allTheValues, + updated README.md and sish.go
| ln, err := net.Listen("tcp", fmt.Sprintf(":%d", bindPort)) | ||
| if err != nil { | ||
| return GetRandomPortInRange(portRange) | ||
| if len(authPorts) == 1 { | ||
| return 0 |
There was a problem hiding this comment.
0 will be a random port anyway. We want to still get a random port in a range (i.e. 1024-2048)
There was a problem hiding this comment.
No, my intention, in this case, is to block it. If all the ports in permitlisten are bind, you should not be able to create the tunnel
There was a problem hiding this comment.
We need to update the method to return an error then. I think returning 0 would still allow the tunnel to bind, wouldn't it?
…d-gcloud Updated repository references and add gcloud tutorial
…rade Updated dependencies and fix antoniomika#155
|
Hi @santomet, Closing this for now since there haven't been any updates. If you end up updating, feel free to reopen the PR! |
|
Hi, |
|
@antoniomika bump and I think, that @santomet cannot reopen the PR by himself |
| ln, err := net.Listen("tcp", fmt.Sprintf(":%d", bindPort)) | ||
| if err != nil { | ||
| return GetRandomPortInRange(portRange) | ||
| if len(authPorts) == 1 { | ||
| return 0 |
There was a problem hiding this comment.
We need to update the method to return an error then. I think returning 0 would still allow the tunnel to bind, wouldn't it?
If you use authentication keys, you can also pre-assign the port that a particular host can bind
with this option:
--use-ports-from-keysIt is slightly abusing the auth_keys specifications (sshd(8)) according to which you can specify
SSH options within the keys. Your line in pubkeys directory might look like this:
sishport="12345" ssh-rsa THE_PUBKEY_IS_HERE comment@HOSTNAMESish will allow the host to use only this particular port for TCP forwarding.
This might be useful for managing multiple computers to which 3rd party might have access.
If you do this for every machine, none of them can block the pre-designated port dedicated for the other
even if somebody tried to mangle the settings.