sshuttle/docs/usage.rst

Usage
=====

.. note::

    For information on usage with Windows, see the :doc:`windows` section.
    For information on using the TProxy method, see the :doc:`tproxy` section.

Forward all traffic::

    sshuttle -r username@sshserver 0.0.0.0/0

- Use the :option:`sshuttle -r` parameter to specify a remote server.
  On some systems, you may also need to use the :option:`sshuttle -x`
  parameter to exclude sshserver or sshserver:22 so that your local
  machine can communicate directly to sshserver without it being
  redirected by sshuttle.

- By default sshuttle will automatically choose a method to use. Override with
  the :option:`sshuttle --method` parameter.

- There is a shortcut for 0.0.0.0/0 for those that value
  their wrists::

      sshuttle -r username@sshserver 0/0


- For 'My VPN broke and need a temporary solution FAST to access local IPv4 addresses'::

      sshuttle --dns -NHr username@sshserver 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

If you would also like your DNS queries to be proxied
through the DNS server of the server you are connect to::

  sshuttle --dns -r username@sshserver 0/0

The above is probably what you want to use to prevent
local network attacks such as Firesheep and friends.
See the documentation for the :option:`sshuttle --dns` parameter.

(You may be prompted for one or more passwords; first, the local password to
become root using sudo, and then the remote ssh password.  Or you might have
sudo and ssh set up to not require passwords, in which case you won't be
prompted at all.)


Usage Notes
-----------
That's it!  Now your local machine can access the remote network as if you
were right there.  And if your "client" machine is a router, everyone on
your local network can make connections to your remote network.

You don't need to install sshuttle on the remote server;
the remote server just needs to have python available.
sshuttle will automatically upload and run its source code
to the remote python interpreter.

This creates a transparent proxy server on your local machine for all IP
addresses that match 0.0.0.0/0.  (You can use more specific IP addresses if
you want; use any number of IP addresses or subnets to change which
addresses get proxied.  Using 0.0.0.0/0 proxies *everything*, which is
interesting if you don't trust the people on your local network.)

Any TCP session you initiate to one of the proxied IP addresses will be
captured by sshuttle and sent over an ssh session to the remote copy of
sshuttle, which will then regenerate the connection on that end, and funnel
the data back and forth through ssh.

Fun, right?  A poor man's instant VPN, and you don't even have to have
admin access on the server.

Sudoers File
------------

sshuttle can generate a sudoers.d file for Linux and MacOS. This
allows one or more users to run sshuttle without entering the
local sudo password. **WARNING:** This option is *insecure*
because, with some cleverness, it also allows these users to run any
command (via the --ssh-cmd option) as root without a password.

To print a sudo configuration file and see a suggested way to install it, run::

  sshuttle --sudoers-no-modify

A custom user or group can be set with the 
:option:`sshuttle --sudoers-no-modify --sudoers-user {user_descriptor}`
option. Valid values for this vary based on how your system is configured.
Values such as usernames, groups prepended with `%` and sudoers user 
aliases will work. See the sudoers manual for more information on valid
user-specified actions. The option must be used with `--sudoers-no-modify`::

  sshuttle --sudoers-no-modify --sudoers-user mike
  sshuttle --sudoers-no-modify --sudoers-user %sudo
Use Sphinx for documentation See #60 2016-01-17 06:16:36 +01:00			`Usage`
			`=====`
Add Windows documentation Copied from https://coderwall.com/p/adfxgw/sshuttle-on-windows Closes #64 2016-01-20 10:55:10 +01:00
			`.. note::`

			For information on usage with Windows, see the :doc:`windows` section.
			For information on using the TProxy method, see the :doc:`tproxy` section.

Update usage documentation 2016-01-20 11:19:44 +01:00			`Forward all traffic::`
Use Sphinx for documentation See #60 2016-01-17 06:16:36 +01:00
Update usage documentation 2016-01-20 11:19:44 +01:00			`sshuttle -r username@sshserver 0.0.0.0/0`

			- Use the :option:`sshuttle -r` parameter to specify a remote server.
fixing a tiny typo 2024-01-29 11:34:22 +01:00			On some systems, you may also need to use the :option:`sshuttle -x`
Update documentation The output in the examples provided in the man page hadn't been updated as sshuttle changed its output over time. The example of testing sshuttle without a remote host was removed. It was the first example previously and it is something that is unlikely users will wish to do. Also: - Update some --help messages. - Manpage: Fix a typo. - Manpage: Mention that host specified with -r can be an ssh alias. - Eliminate variable only used once. 2020-10-21 07:05:21 +02:00			`parameter to exclude sshserver or sshserver:22 so that your local`
			`machine can communicate directly to sshserver without it being`
			`redirected by sshuttle.`
Use Sphinx for documentation See #60 2016-01-17 06:16:36 +01:00
			`- By default sshuttle will automatically choose a method to use. Override with`
Update usage documentation 2016-01-20 11:19:44 +01:00			the :option:`sshuttle --method` parameter.
Use Sphinx for documentation See #60 2016-01-17 06:16:36 +01:00
			`- There is a shortcut for 0.0.0.0/0 for those that value`
			`their wrists::`

			`sshuttle -r username@sshserver 0/0`

Add 'My VPN broke and need a solution fast' to the docs. 2020-05-14 22:43:33 +02:00
Fix formatting typos in usage docs 2020-07-04 12:02:44 +02:00			`- For 'My VPN broke and need a temporary solution FAST to access local IPv4 addresses'::`
Add 'My VPN broke and need a solution fast' to the docs. 2020-05-14 22:43:33 +02:00
			`sshuttle --dns -NHr username@sshserver 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16`

Update usage documentation 2016-01-20 11:19:44 +01:00			`If you would also like your DNS queries to be proxied`
			`through the DNS server of the server you are connect to::`
Use Sphinx for documentation See #60 2016-01-17 06:16:36 +01:00
Update usage documentation 2016-01-20 11:19:44 +01:00			`sshuttle --dns -r username@sshserver 0/0`
Use Sphinx for documentation See #60 2016-01-17 06:16:36 +01:00
Update usage documentation 2016-01-20 11:19:44 +01:00			`The above is probably what you want to use to prevent`
			`local network attacks such as Firesheep and friends.`
			See the documentation for the :option:`sshuttle --dns` parameter.
Use Sphinx for documentation See #60 2016-01-17 06:16:36 +01:00
			`(You may be prompted for one or more passwords; first, the local password to`
			`become root using sudo, and then the remote ssh password. Or you might have`
			`sudo and ssh set up to not require passwords, in which case you won't be`
			`prompted at all.)`


			`Usage Notes`
			`-----------`
			`That's it! Now your local machine can access the remote network as if you`
			`were right there. And if your "client" machine is a router, everyone on`
			`your local network can make connections to your remote network.`

			`You don't need to install sshuttle on the remote server;`
Trim excess whitespace 2021-09-22 14:13:22 +02:00			`the remote server just needs to have python available.`
Use Sphinx for documentation See #60 2016-01-17 06:16:36 +01:00			`sshuttle will automatically upload and run its source code`
			`to the remote python interpreter.`

			`This creates a transparent proxy server on your local machine for all IP`
			`addresses that match 0.0.0.0/0. (You can use more specific IP addresses if`
			`you want; use any number of IP addresses or subnets to change which`
			`addresses get proxied. Using 0.0.0.0/0 proxies everything, which is`
			`interesting if you don't trust the people on your local network.)`

			`Any TCP session you initiate to one of the proxied IP addresses will be`
			`captured by sshuttle and sent over an ssh session to the remote copy of`
			`sshuttle, which will then regenerate the connection on that end, and funnel`
			`the data back and forth through ssh.`

			`Fun, right? A poor man's instant VPN, and you don't even have to have`
			`admin access on the server.`

Auto sudoers file (#269) * added sudoers options to command line arguments * added sudoers options to command line arguments * template for sudoers file * Added option for GUI sudo * added support for GUI sudo * script for auto adding sudo file * sudoers auto add works and validates * small change * Clean up for CI * removed code that belongs in another PR * added path for package bins * added sudoers bin * added sudoers-add to setup file * fixed issue with sudoers bash script * auto sudoers now works * added --sudoers-no-modify option * bin now works with ./run * removed debug print * Updated sudoers-add script * Fixed error passing sudoers config to script * more dynamic building of sudoers file * added option to specify sudoers.d file name * fixed indent issue * fixed indent issue * indent issue * clean up * formating * docs * fix for flags * Update usage.rst * removed shell=true * cleared CI errors * cleared CI errors * removed random * cleared linter issue * cleared linter issue * cleared linter issue * updated sudoers-add script * safer temp file * moved bin directory * moved bin directory * removed print * fixed spacing issue * sudoers commands must only containe upper case latters 2019-12-12 22:15:31 +01:00			`Sudoers File`
			`------------`

Remove --sudoers, improve --sudoers-no-modify Allowing sshuttle to add/overwrite sudoers configuration file at locations of the users' choosing adds complexity to the code compared to asking users to install the sudo configuration themselves. It requires sshuttle to make decisions about how much effort we put into ensuring that the file is written to a proper location. The current method relies on the 'realpath' program which is not installed on MacOS by default. There are serious problems when the sudo configuration is used to allow a user to only run sshuttle as root (with or without a password). First, that user could then use the --sudoers option to give other users sudo privileges. Second, the user can run any command as root because sshuttle accepts a --ssh-cmd parameter which allows a user to specify a program that sshuttle should run. There may also be additional issues that we have not identified. By removing the --sudoers option (and the associated sudoers-add script), this reduces the problems above. This code keeps the --sudoers-no-modify feature which prints a configuration to stdout for the user to install. It includes a clear warning about how --ssh-cmd could potentially be abused to run other programs. A warning about some of these issues has been in sshuttle since version 1.1.0. This commit also adds that warning to more locations in the documentation. 2022-03-04 18:15:24 +01:00			`sshuttle can generate a sudoers.d file for Linux and MacOS. This`
			`allows one or more users to run sshuttle without entering the`
			`local sudo password. WARNING: This option is insecure`
			`because, with some cleverness, it also allows these users to run any`
			`command (via the --ssh-cmd option) as root without a password.`
Auto sudoers file (#269) * added sudoers options to command line arguments * added sudoers options to command line arguments * template for sudoers file * Added option for GUI sudo * added support for GUI sudo * script for auto adding sudo file * sudoers auto add works and validates * small change * Clean up for CI * removed code that belongs in another PR * added path for package bins * added sudoers bin * added sudoers-add to setup file * fixed issue with sudoers bash script * auto sudoers now works * added --sudoers-no-modify option * bin now works with ./run * removed debug print * Updated sudoers-add script * Fixed error passing sudoers config to script * more dynamic building of sudoers file * added option to specify sudoers.d file name * fixed indent issue * fixed indent issue * indent issue * clean up * formating * docs * fix for flags * Update usage.rst * removed shell=true * cleared CI errors * cleared CI errors * removed random * cleared linter issue * cleared linter issue * cleared linter issue * updated sudoers-add script * safer temp file * moved bin directory * moved bin directory * removed print * fixed spacing issue * sudoers commands must only containe upper case latters 2019-12-12 22:15:31 +01:00
Remove --sudoers, improve --sudoers-no-modify Allowing sshuttle to add/overwrite sudoers configuration file at locations of the users' choosing adds complexity to the code compared to asking users to install the sudo configuration themselves. It requires sshuttle to make decisions about how much effort we put into ensuring that the file is written to a proper location. The current method relies on the 'realpath' program which is not installed on MacOS by default. There are serious problems when the sudo configuration is used to allow a user to only run sshuttle as root (with or without a password). First, that user could then use the --sudoers option to give other users sudo privileges. Second, the user can run any command as root because sshuttle accepts a --ssh-cmd parameter which allows a user to specify a program that sshuttle should run. There may also be additional issues that we have not identified. By removing the --sudoers option (and the associated sudoers-add script), this reduces the problems above. This code keeps the --sudoers-no-modify feature which prints a configuration to stdout for the user to install. It includes a clear warning about how --ssh-cmd could potentially be abused to run other programs. A warning about some of these issues has been in sshuttle since version 1.1.0. This commit also adds that warning to more locations in the documentation. 2022-03-04 18:15:24 +01:00			`To print a sudo configuration file and see a suggested way to install it, run::`
Auto sudoers file (#269) * added sudoers options to command line arguments * added sudoers options to command line arguments * template for sudoers file * Added option for GUI sudo * added support for GUI sudo * script for auto adding sudo file * sudoers auto add works and validates * small change * Clean up for CI * removed code that belongs in another PR * added path for package bins * added sudoers bin * added sudoers-add to setup file * fixed issue with sudoers bash script * auto sudoers now works * added --sudoers-no-modify option * bin now works with ./run * removed debug print * Updated sudoers-add script * Fixed error passing sudoers config to script * more dynamic building of sudoers file * added option to specify sudoers.d file name * fixed indent issue * fixed indent issue * indent issue * clean up * formating * docs * fix for flags * Update usage.rst * removed shell=true * cleared CI errors * cleared CI errors * removed random * cleared linter issue * cleared linter issue * cleared linter issue * updated sudoers-add script * safer temp file * moved bin directory * moved bin directory * removed print * fixed spacing issue * sudoers commands must only containe upper case latters 2019-12-12 22:15:31 +01:00
			`sshuttle --sudoers-no-modify`

Remove --sudoers, improve --sudoers-no-modify Allowing sshuttle to add/overwrite sudoers configuration file at locations of the users' choosing adds complexity to the code compared to asking users to install the sudo configuration themselves. It requires sshuttle to make decisions about how much effort we put into ensuring that the file is written to a proper location. The current method relies on the 'realpath' program which is not installed on MacOS by default. There are serious problems when the sudo configuration is used to allow a user to only run sshuttle as root (with or without a password). First, that user could then use the --sudoers option to give other users sudo privileges. Second, the user can run any command as root because sshuttle accepts a --ssh-cmd parameter which allows a user to specify a program that sshuttle should run. There may also be additional issues that we have not identified. By removing the --sudoers option (and the associated sudoers-add script), this reduces the problems above. This code keeps the --sudoers-no-modify feature which prints a configuration to stdout for the user to install. It includes a clear warning about how --ssh-cmd could potentially be abused to run other programs. A warning about some of these issues has been in sshuttle since version 1.1.0. This commit also adds that warning to more locations in the documentation. 2022-03-04 18:15:24 +01:00			`A custom user or group can be set with the`
			:option:`sshuttle --sudoers-no-modify --sudoers-user {user_descriptor}`
			`option. Valid values for this vary based on how your system is configured.`
Fix typos discovered by codespell https://pypi.org/project/codespell 2024-01-30 15:41:42 +01:00			Values such as usernames, groups prepended with `%` and sudoers user
Remove --sudoers, improve --sudoers-no-modify Allowing sshuttle to add/overwrite sudoers configuration file at locations of the users' choosing adds complexity to the code compared to asking users to install the sudo configuration themselves. It requires sshuttle to make decisions about how much effort we put into ensuring that the file is written to a proper location. The current method relies on the 'realpath' program which is not installed on MacOS by default. There are serious problems when the sudo configuration is used to allow a user to only run sshuttle as root (with or without a password). First, that user could then use the --sudoers option to give other users sudo privileges. Second, the user can run any command as root because sshuttle accepts a --ssh-cmd parameter which allows a user to specify a program that sshuttle should run. There may also be additional issues that we have not identified. By removing the --sudoers option (and the associated sudoers-add script), this reduces the problems above. This code keeps the --sudoers-no-modify feature which prints a configuration to stdout for the user to install. It includes a clear warning about how --ssh-cmd could potentially be abused to run other programs. A warning about some of these issues has been in sshuttle since version 1.1.0. This commit also adds that warning to more locations in the documentation. 2022-03-04 18:15:24 +01:00			`aliases will work. See the sudoers manual for more information on valid`
Update usage.rst 2024-01-30 15:49:56 +01:00			user-specified actions. The option must be used with `--sudoers-no-modify`::
Auto sudoers file (#269) * added sudoers options to command line arguments * added sudoers options to command line arguments * template for sudoers file * Added option for GUI sudo * added support for GUI sudo * script for auto adding sudo file * sudoers auto add works and validates * small change * Clean up for CI * removed code that belongs in another PR * added path for package bins * added sudoers bin * added sudoers-add to setup file * fixed issue with sudoers bash script * auto sudoers now works * added --sudoers-no-modify option * bin now works with ./run * removed debug print * Updated sudoers-add script * Fixed error passing sudoers config to script * more dynamic building of sudoers file * added option to specify sudoers.d file name * fixed indent issue * fixed indent issue * indent issue * clean up * formating * docs * fix for flags * Update usage.rst * removed shell=true * cleared CI errors * cleared CI errors * removed random * cleared linter issue * cleared linter issue * cleared linter issue * updated sudoers-add script * safer temp file * moved bin directory * moved bin directory * removed print * fixed spacing issue * sudoers commands must only containe upper case latters 2019-12-12 22:15:31 +01:00
Remove --sudoers, improve --sudoers-no-modify Allowing sshuttle to add/overwrite sudoers configuration file at locations of the users' choosing adds complexity to the code compared to asking users to install the sudo configuration themselves. It requires sshuttle to make decisions about how much effort we put into ensuring that the file is written to a proper location. The current method relies on the 'realpath' program which is not installed on MacOS by default. There are serious problems when the sudo configuration is used to allow a user to only run sshuttle as root (with or without a password). First, that user could then use the --sudoers option to give other users sudo privileges. Second, the user can run any command as root because sshuttle accepts a --ssh-cmd parameter which allows a user to specify a program that sshuttle should run. There may also be additional issues that we have not identified. By removing the --sudoers option (and the associated sudoers-add script), this reduces the problems above. This code keeps the --sudoers-no-modify feature which prints a configuration to stdout for the user to install. It includes a clear warning about how --ssh-cmd could potentially be abused to run other programs. A warning about some of these issues has been in sshuttle since version 1.1.0. This commit also adds that warning to more locations in the documentation. 2022-03-04 18:15:24 +01:00			`sshuttle --sudoers-no-modify --sudoers-user mike`
			`sshuttle --sudoers-no-modify --sudoers-user %sudo`