mirror of
https://github.com/sshuttle/sshuttle.git
synced 2025-01-03 20:49:02 +01:00
Merge pull request #682 from a1346054/fixes
Simple maintenance improvements
This commit is contained in:
commit
9399cf10f6
@ -133,7 +133,7 @@ Fixed
|
|||||||
|
|
||||||
Added
|
Added
|
||||||
~~~~~
|
~~~~~
|
||||||
* doas support as replacmeent for sudo on OpenBSD.
|
* doas support as replacement for sudo on OpenBSD.
|
||||||
* Added ChromeOS section to documentation (#262)
|
* Added ChromeOS section to documentation (#262)
|
||||||
* Add --no-sudo-pythonpath option
|
* Add --no-sudo-pythonpath option
|
||||||
|
|
||||||
|
10
README.rst
10
README.rst
@ -24,7 +24,7 @@ common case:
|
|||||||
- You can't use openssh's PermitTunnel feature because
|
- You can't use openssh's PermitTunnel feature because
|
||||||
it's disabled by default on openssh servers; plus it does
|
it's disabled by default on openssh servers; plus it does
|
||||||
TCP-over-TCP, which has `terrible performance`_.
|
TCP-over-TCP, which has `terrible performance`_.
|
||||||
|
|
||||||
.. _terrible performance: https://sshuttle.readthedocs.io/en/stable/how-it-works.html
|
.. _terrible performance: https://sshuttle.readthedocs.io/en/stable/how-it-works.html
|
||||||
|
|
||||||
Obtaining sshuttle
|
Obtaining sshuttle
|
||||||
@ -37,7 +37,7 @@ Obtaining sshuttle
|
|||||||
- Debian stretch or later::
|
- Debian stretch or later::
|
||||||
|
|
||||||
apt-get install sshuttle
|
apt-get install sshuttle
|
||||||
|
|
||||||
- Arch Linux::
|
- Arch Linux::
|
||||||
|
|
||||||
pacman -S sshuttle
|
pacman -S sshuttle
|
||||||
@ -45,13 +45,13 @@ Obtaining sshuttle
|
|||||||
- Fedora::
|
- Fedora::
|
||||||
|
|
||||||
dnf install sshuttle
|
dnf install sshuttle
|
||||||
|
|
||||||
- openSUSE::
|
- openSUSE::
|
||||||
|
|
||||||
zypper in sshuttle
|
zypper in sshuttle
|
||||||
|
|
||||||
- Gentoo::
|
- Gentoo::
|
||||||
|
|
||||||
emerge -av net-proxy/sshuttle
|
emerge -av net-proxy/sshuttle
|
||||||
|
|
||||||
- NixOS::
|
- NixOS::
|
||||||
@ -116,5 +116,5 @@ https://sshuttle.readthedocs.org/en/latest/
|
|||||||
|
|
||||||
Running as a service
|
Running as a service
|
||||||
--------------------
|
--------------------
|
||||||
Sshuttle can also be run as a service and configured using a config management system:
|
Sshuttle can also be run as a service and configured using a config management system:
|
||||||
https://medium.com/@mike.reider/using-sshuttle-as-a-service-bec2684a65fe
|
https://medium.com/@mike.reider/using-sshuttle-as-a-service-bec2684a65fe
|
||||||
|
@ -9,4 +9,3 @@ stretch/Debian 9 VM, you can then install sshuttle as on any Linux box and
|
|||||||
it just works, as do xterms and ssvncviewer etc.
|
it just works, as do xterms and ssvncviewer etc.
|
||||||
|
|
||||||
https://www.reddit.com/r/Crostini/wiki/getstarted/crostini-setup-guide
|
https://www.reddit.com/r/Crostini/wiki/getstarted/crostini-setup-guide
|
||||||
|
|
||||||
|
@ -34,4 +34,3 @@ sshuttle assembles the TCP stream locally, multiplexes it statefully over
|
|||||||
an ssh session, and disassembles it back into packets at the other end. So
|
an ssh session, and disassembles it back into packets at the other end. So
|
||||||
it never ends up doing TCP-over-TCP. It's just data-over-TCP, which is
|
it never ends up doing TCP-over-TCP. It's just data-over-TCP, which is
|
||||||
safe.
|
safe.
|
||||||
|
|
||||||
|
@ -26,4 +26,3 @@ Indices and tables
|
|||||||
|
|
||||||
* :ref:`genindex`
|
* :ref:`genindex`
|
||||||
* :ref:`search`
|
* :ref:`search`
|
||||||
|
|
||||||
|
@ -5,7 +5,7 @@ Installation
|
|||||||
|
|
||||||
pip install sshuttle
|
pip install sshuttle
|
||||||
|
|
||||||
- Debain package manager::
|
- Debian package manager::
|
||||||
|
|
||||||
sudo apt install sshuttle
|
sudo apt install sshuttle
|
||||||
|
|
||||||
|
@ -344,7 +344,7 @@ information::
|
|||||||
$ sshuttle -r example.com -x example.com:22 0/0
|
$ sshuttle -r example.com -x example.com:22 0/0
|
||||||
|
|
||||||
Starting sshuttle proxy (version ...).
|
Starting sshuttle proxy (version ...).
|
||||||
[local sudo] Password:
|
[local sudo] Password:
|
||||||
fw: Starting firewall with Python version 3.9.5
|
fw: Starting firewall with Python version 3.9.5
|
||||||
fw: ready method name nat.
|
fw: ready method name nat.
|
||||||
c : IPv6 disabled since it isn't supported by method nat.
|
c : IPv6 disabled since it isn't supported by method nat.
|
||||||
@ -362,7 +362,7 @@ information::
|
|||||||
c : TCP redirector listening on ('127.0.0.1', 12299).
|
c : TCP redirector listening on ('127.0.0.1', 12299).
|
||||||
c : Starting client with Python version 3.9.5
|
c : Starting client with Python version 3.9.5
|
||||||
c : Connecting to server...
|
c : Connecting to server...
|
||||||
user@example.com's password:
|
user@example.com's password:
|
||||||
s: Starting server with Python version 3.6.8
|
s: Starting server with Python version 3.6.8
|
||||||
s: latency control setting = True
|
s: latency control setting = True
|
||||||
s: auto-nets:False
|
s: auto-nets:False
|
||||||
@ -383,7 +383,7 @@ and subnet guessing::
|
|||||||
|
|
||||||
$ sshuttle -vNHr example.com -x example.com:22
|
$ sshuttle -vNHr example.com -x example.com:22
|
||||||
Starting sshuttle proxy (version ...).
|
Starting sshuttle proxy (version ...).
|
||||||
[local sudo] Password:
|
[local sudo] Password:
|
||||||
fw: Starting firewall with Python version 3.9.5
|
fw: Starting firewall with Python version 3.9.5
|
||||||
fw: ready method name nat.
|
fw: ready method name nat.
|
||||||
c : IPv6 disabled since it isn't supported by method nat.
|
c : IPv6 disabled since it isn't supported by method nat.
|
||||||
@ -401,7 +401,7 @@ and subnet guessing::
|
|||||||
c : TCP redirector listening on ('127.0.0.1', 12300).
|
c : TCP redirector listening on ('127.0.0.1', 12300).
|
||||||
c : Starting client with Python version 3.9.5
|
c : Starting client with Python version 3.9.5
|
||||||
c : Connecting to server...
|
c : Connecting to server...
|
||||||
user@example.com's password:
|
user@example.com's password:
|
||||||
s: Starting server with Python version 3.6.8
|
s: Starting server with Python version 3.6.8
|
||||||
s: latency control setting = True
|
s: latency control setting = True
|
||||||
s: auto-nets:True
|
s: auto-nets:True
|
||||||
|
@ -81,7 +81,7 @@ Additional Suggested Software
|
|||||||
- If you are using systemd, sshuttle can notify it when the connection to
|
- If you are using systemd, sshuttle can notify it when the connection to
|
||||||
the remote end is established and the firewall rules are installed. For
|
the remote end is established and the firewall rules are installed. For
|
||||||
this feature to work you must configure the process start-up type for the
|
this feature to work you must configure the process start-up type for the
|
||||||
sshuttle service unit to notify, as shown in the example below.
|
sshuttle service unit to notify, as shown in the example below.
|
||||||
|
|
||||||
.. code-block:: ini
|
.. code-block:: ini
|
||||||
:emphasize-lines: 6
|
:emphasize-lines: 6
|
||||||
@ -89,10 +89,10 @@ Additional Suggested Software
|
|||||||
[Unit]
|
[Unit]
|
||||||
Description=sshuttle
|
Description=sshuttle
|
||||||
After=network.target
|
After=network.target
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Type=notify
|
Type=notify
|
||||||
ExecStart=/usr/bin/sshuttle --dns --remote <user>@<server> <subnets...>
|
ExecStart=/usr/bin/sshuttle --dns --remote <user>@<server> <subnets...>
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
|
@ -11,7 +11,7 @@ There are some things you need to consider for TPROXY to work:
|
|||||||
ip rule add fwmark {TMARK} lookup 100
|
ip rule add fwmark {TMARK} lookup 100
|
||||||
ip -6 route add local default dev lo table 100
|
ip -6 route add local default dev lo table 100
|
||||||
ip -6 rule add fwmark {TMARK} lookup 100
|
ip -6 rule add fwmark {TMARK} lookup 100
|
||||||
|
|
||||||
where {TMARK} is the identifier mark passed with -t or --tmark flag
|
where {TMARK} is the identifier mark passed with -t or --tmark flag
|
||||||
as a hexadecimal string (default value is '0x01').
|
as a hexadecimal string (default value is '0x01').
|
||||||
|
|
||||||
@ -20,7 +20,7 @@ There are some things you need to consider for TPROXY to work:
|
|||||||
|
|
||||||
- The client needs to be run as root. e.g.::
|
- The client needs to be run as root. e.g.::
|
||||||
|
|
||||||
sudo SSH_AUTH_SOCK="$SSH_AUTH_SOCK" $HOME/tree/sshuttle.tproxy/sshuttle --method=tproxy ...
|
sudo SSH_AUTH_SOCK="$SSH_AUTH_SOCK" $HOME/tree/sshuttle.tproxy/sshuttle --method=tproxy ...
|
||||||
|
|
||||||
- You may need to exclude the IP address of the server you are connecting to.
|
- You may need to exclude the IP address of the server you are connecting to.
|
||||||
Otherwise sshuttle may attempt to intercept the ssh packets, which will not
|
Otherwise sshuttle may attempt to intercept the ssh packets, which will not
|
||||||
|
@ -33,4 +33,3 @@ That project I did for Slipstream was what first gave me the idea to merge
|
|||||||
the concepts of Fast Forward, Double Vision, and Tunnel Vision into a single
|
the concepts of Fast Forward, Double Vision, and Tunnel Vision into a single
|
||||||
program that was the best of all worlds. And here we are, at last.
|
program that was the best of all worlds. And here we are, at last.
|
||||||
You're welcome.
|
You're welcome.
|
||||||
|
|
||||||
|
@ -51,7 +51,7 @@ were right there. And if your "client" machine is a router, everyone on
|
|||||||
your local network can make connections to your remote network.
|
your local network can make connections to your remote network.
|
||||||
|
|
||||||
You don't need to install sshuttle on the remote server;
|
You don't need to install sshuttle on the remote server;
|
||||||
the remote server just needs to have python available.
|
the remote server just needs to have python available.
|
||||||
sshuttle will automatically upload and run its source code
|
sshuttle will automatically upload and run its source code
|
||||||
to the remote python interpreter.
|
to the remote python interpreter.
|
||||||
|
|
||||||
@ -71,7 +71,7 @@ admin access on the server.
|
|||||||
|
|
||||||
Sudoers File
|
Sudoers File
|
||||||
------------
|
------------
|
||||||
sshuttle can auto-generate the proper sudoers.d file using the current user
|
sshuttle can auto-generate the proper sudoers.d file using the current user
|
||||||
for Linux and OSX. Doing this will allow sshuttle to run without asking for
|
for Linux and OSX. Doing this will allow sshuttle to run without asking for
|
||||||
the local sudo password and to give users who do not have sudo access
|
the local sudo password and to give users who do not have sudo access
|
||||||
ability to run sshuttle::
|
ability to run sshuttle::
|
||||||
@ -83,7 +83,7 @@ it is needed.
|
|||||||
|
|
||||||
A costume user or group can be set with the :
|
A costume user or group can be set with the :
|
||||||
option:`sshuttle --sudoers --sudoers-username {user_descriptor}` option. Valid
|
option:`sshuttle --sudoers --sudoers-username {user_descriptor}` option. Valid
|
||||||
values for this vary based on how your system is configured. Values such as
|
values for this vary based on how your system is configured. Values such as
|
||||||
usernames, groups pre-pended with `%` and sudoers user aliases will work. See
|
usernames, groups pre-pended with `%` and sudoers user aliases will work. See
|
||||||
the sudoers manual for more information on valid user specif actions.
|
the sudoers manual for more information on valid user specif actions.
|
||||||
The options must be used with `--sudoers`::
|
The options must be used with `--sudoers`::
|
||||||
@ -99,7 +99,7 @@ access to sshuttle. The default is `sshuttle_auto`::
|
|||||||
sshuttle --sudoer --sudoers-filename sshuttle_auto_tommy
|
sshuttle --sudoer --sudoers-filename sshuttle_auto_tommy
|
||||||
|
|
||||||
You can also see what configuration will be added to your system without
|
You can also see what configuration will be added to your system without
|
||||||
modifying anything. This can be helpfull is the auto feature does not work, or
|
modifying anything. This can be helpful if the auto feature does not work, or
|
||||||
you want more control. This option also works with `--sudoers-username`.
|
you want more control. This option also works with `--sudoers-username`.
|
||||||
`--sudoers-filename` has no effect with this option::
|
`--sudoers-filename` has no effect with this option::
|
||||||
|
|
||||||
|
@ -16,4 +16,4 @@ Assuming the VM has the IP 192.168.1.200 obtained on the bridge NIC (we can
|
|||||||
configure that in Vagrant), we can then ask Windows to route all its traffic
|
configure that in Vagrant), we can then ask Windows to route all its traffic
|
||||||
via the VM by running the following in cmd.exe with admin right::
|
via the VM by running the following in cmd.exe with admin right::
|
||||||
|
|
||||||
route add 0.0.0.0 mask 0.0.0.0 192.168.1.200
|
route add 0.0.0.0 mask 0.0.0.0 192.168.1.200
|
||||||
|
4
run
4
run
@ -1,7 +1,7 @@
|
|||||||
#!/usr/bin/env sh
|
#!/usr/bin/env sh
|
||||||
set -e
|
set -e
|
||||||
export PYTHONPATH="$(dirname $0):$PYTHONPATH"
|
export PYTHONPATH="$(dirname "$0"):$PYTHONPATH"
|
||||||
export PATH="$(dirname $0)/bin:$PATH"
|
export PATH="$(dirname "$0")/bin:$PATH"
|
||||||
|
|
||||||
python_best_version() {
|
python_best_version() {
|
||||||
if [ -x "$(command -v python3)" ] &&
|
if [ -x "$(command -v python3)" ] &&
|
||||||
|
@ -164,7 +164,7 @@ class MultiListener:
|
|||||||
try:
|
try:
|
||||||
self.v4.listen(backlog)
|
self.v4.listen(backlog)
|
||||||
except socket.error as e:
|
except socket.error as e:
|
||||||
# on some systems v4 bind will fail if the v6 suceeded,
|
# on some systems v4 bind will fail if the v6 succeeded,
|
||||||
# in this case the v6 socket will receive v4 too.
|
# in this case the v6 socket will receive v4 too.
|
||||||
if e.errno == errno.EADDRINUSE and self.v6:
|
if e.errno == errno.EADDRINUSE and self.v6:
|
||||||
self.v4 = None
|
self.v4 = None
|
||||||
|
@ -126,7 +126,7 @@ def flush_systemd_dns_cache():
|
|||||||
#
|
#
|
||||||
# This code is supposed to clean up after itself by deleting its rules on
|
# This code is supposed to clean up after itself by deleting its rules on
|
||||||
# exit. In case that fails, it's not the end of the world; future runs will
|
# exit. In case that fails, it's not the end of the world; future runs will
|
||||||
# supercede it in the transproxy list, at least, so the leftover rules
|
# supersede it in the transproxy list, at least, so the leftover rules
|
||||||
# are hopefully harmless.
|
# are hopefully harmless.
|
||||||
def main(method_name, syslog):
|
def main(method_name, syslog):
|
||||||
helpers.logprefix = 'fw: '
|
helpers.logprefix = 'fw: '
|
||||||
|
@ -273,7 +273,7 @@ class OpenBsd(Generic):
|
|||||||
def add_anchors(self, anchor):
|
def add_anchors(self, anchor):
|
||||||
# before adding anchors and rules we must override the skip lo
|
# before adding anchors and rules we must override the skip lo
|
||||||
# that comes by default in openbsd pf.conf so the rules we will add,
|
# that comes by default in openbsd pf.conf so the rules we will add,
|
||||||
# which rely on translating/filtering packets on lo, can work
|
# which rely on translating/filtering packets on lo, can work
|
||||||
if self.has_skip_loopback():
|
if self.has_skip_loopback():
|
||||||
pfctl('-f /dev/stdin', b'match on lo\n')
|
pfctl('-f /dev/stdin', b'match on lo\n')
|
||||||
super(OpenBsd, self).add_anchors(anchor)
|
super(OpenBsd, self).add_anchors(anchor)
|
||||||
@ -353,7 +353,7 @@ class Darwin(FreeBsd):
|
|||||||
def add_anchors(self, anchor):
|
def add_anchors(self, anchor):
|
||||||
# before adding anchors and rules we must override the skip lo
|
# before adding anchors and rules we must override the skip lo
|
||||||
# that in some cases ends up in the chain so the rules we will add,
|
# that in some cases ends up in the chain so the rules we will add,
|
||||||
# which rely on translating/filtering packets on lo, can work
|
# which rely on translating/filtering packets on lo, can work
|
||||||
if self.has_skip_loopback():
|
if self.has_skip_loopback():
|
||||||
pfctl('-f /dev/stdin', b'pass on lo\n')
|
pfctl('-f /dev/stdin', b'pass on lo\n')
|
||||||
super(Darwin, self).add_anchors(anchor)
|
super(Darwin, self).add_anchors(anchor)
|
||||||
|
@ -61,11 +61,11 @@ def parse_hostport(rhostport):
|
|||||||
if ":" in host:
|
if ":" in host:
|
||||||
# IPv6 address and/or got a port specified
|
# IPv6 address and/or got a port specified
|
||||||
|
|
||||||
# If it is an IPv6 adress with port specification,
|
# If it is an IPv6 address with port specification,
|
||||||
# then it will look like: [::1]:22
|
# then it will look like: [::1]:22
|
||||||
|
|
||||||
try:
|
try:
|
||||||
# try to parse host as an IP adress,
|
# try to parse host as an IP address,
|
||||||
# if that works it is an IPv6 address
|
# if that works it is an IPv6 address
|
||||||
host = str(ipaddress.ip_address(host))
|
host = str(ipaddress.ip_address(host))
|
||||||
except ValueError:
|
except ValueError:
|
||||||
@ -150,7 +150,7 @@ def connect(ssh_cmd, rhostport, python, stderr, options):
|
|||||||
# return error code 127.
|
# return error code 127.
|
||||||
#
|
#
|
||||||
# (2) python3 or python exists in the PATH and is
|
# (2) python3 or python exists in the PATH and is
|
||||||
# executable. If they aren't, then exec wont work (see (4)
|
# executable. If they aren't, then exec won't work (see (4)
|
||||||
# below).
|
# below).
|
||||||
#
|
#
|
||||||
# (3) In /bin/sh, that we can redirect stderr in order to
|
# (3) In /bin/sh, that we can redirect stderr in order to
|
||||||
|
Loading…
Reference in New Issue
Block a user