Commit Graph

83 Commits

Author SHA1 Message Date
nom3ad
bac2a6b0c7 windows: add --remote-shell option to select cmd/powershell 2024-08-06 08:38:24 +10:00
nom3ad
dff6950c4c windows: update docs 2024-08-06 08:38:24 +10:00
nom3ad
5a64c81b5b experimental windows method 2024-08-06 08:38:24 +10:00
Samir Aguiar
348f0eb653 Add support for non-compliant ssh wrappers
ssh wrappers like teleport's tsh do not correctly interpret the
double dash as an argument delimiter and will not work properly
with sshuttle. This PR adds a new command line switch to handle
these cases by not adding the delimiter.

Fixes #599
2024-07-07 13:28:26 +10:00
Christian Clauss
5c479220a7 Update usage.rst 2024-01-31 19:28:21 +11:00
Christian Clauss
32d0054455 Fix typos discovered by codespell
https://pypi.org/project/codespell
2024-01-31 19:28:21 +11:00
Benjamin Barthe
e4ae714cf8 fixing a tiny typo 2024-01-31 14:35:02 +11:00
Alex Jurkiewicz
0ddebdeee6 Add support for SSHUTTLE_ARGS environment variable 2023-08-09 15:06:05 +10:00
Brian May
802c6f5a6e Use furo style for docs
The default read the docs theme does not work with the latest Sphinx.
2023-07-31 08:18:18 +10:00
Bastian Venthur
a33a4829e2 fixed some spelling mistakes 2022-06-15 07:43:25 +10:00
Brian May
6d36916f48 Remove support for Python 3.6 and 3.7
Fixes #716
2022-03-29 11:47:05 +11:00
Scott Kuhl
5719d424de Remove --sudoers, improve --sudoers-no-modify
Allowing sshuttle to add/overwrite sudoers configuration file at
locations of the users' choosing adds complexity to the code compared
to asking users to install the sudo configuration themselves. It
requires sshuttle to make decisions about how much effort we put into
ensuring that the file is written to a proper location. The current
method relies on the 'realpath' program which is not installed on
MacOS by default.

There are serious problems when the sudo configuration is used to
allow a user to *only* run sshuttle as root (with or without a
password). First, that user could then use the --sudoers option to
give other users sudo privileges. Second, the user can run any command
as root because sshuttle accepts a --ssh-cmd parameter which allows a
user to specify a program that sshuttle should run. There may also be
additional issues that we have not identified.

By removing the --sudoers option (and the associated sudoers-add
script), this reduces the problems above. This code keeps the
--sudoers-no-modify feature which prints a configuration to stdout for
the user to install. It includes a clear warning about how --ssh-cmd
could potentially be abused to run other programs.

A warning about some of these issues has been in sshuttle since
version 1.1.0. This commit also adds that warning to more locations in
the documentation.
2022-03-13 09:29:56 +11:00
lbausch
9431bb7a2f Fix typo 2022-03-03 07:28:46 +11:00
Scott Kuhl
09c534bcf3 Clarify --disable-ipv6 in man page.
The description for --disable-ipv6 did not list all methods that
support IPv6.
2022-02-04 15:27:48 -05:00
Scott Kuhl
175da40db7 Fix typo in tproxy documentation.
"IPv6 DNS" was listed twice.
2021-12-31 14:54:17 -05:00
Scott Kuhl
e11db3980f Minor improvement to tproxy documentation.
Previously, tproxy was unique in its support of IPv6. Now, many
sshuttle methods support IPv6 and tproxy remains the only option that
supports UDP.
2021-12-31 14:31:54 -05:00
Brian May
b896a4b7f3 Remove references to legacy PyXAPI socket_ext for recvmsg
socket.recvmsg has been in Python since version 3.3 and we don't
support anything older then 3.6 the server side.
2021-11-11 08:01:15 +11:00
a1346054
b95c1f3357
Trim excess whitespace 2021-09-22 12:36:36 +00:00
a1346054
ef244a5490
Fix typos 2021-09-22 12:36:26 +00:00
Scott Kuhl
bc065e368d Remove ttl hack & require -r option.
Previously, it was possible to run sshuttle locally without using ssh
and connecting to a remote server. In this configuration, traffic was
redirected to the sshuttle server running on the localhost. However,
the firewall needed to distinguish between traffic leaving the
sshuttle server and traffic that originated from the machine that
still needed to be routed through the sshuttle server. The TTL of the
packets leaving the sshuttle server were manipulated to indicate to
the firewall what should happen. The TTL was adjusted for all packets
leaving the sshuttle server (even if it wasn't necessary because the
server and client were running on different machines).

Changing the TTL caused trouble and some machines, and
the --ttl option was added as a workaround to change how the TTL was
set for traffic leaving sshuttle. All of this added complexity to the
code for a feature (running the server on localhost) that is likely
only used for testing and rarely used by others.

This commit updates the associated documentation, but doesn't fully
fix the ipfw method since I am unable to test that.

This change will also make sshuttle fail to work if -r is used to
specify a localhost. Pull request #610 partially addresses that issue.

For example, see: #240, #490, #660, #606.
2021-07-12 11:24:29 -04:00
Scott Kuhl
560c6b4ce8 Improve hostwatch robustness and documentation.
If an exception occurs in hostwatch, sshuttle exits. Problems
read/writing the ~/.sshuttle.hosts cache file on the remote machine
would therefore cause sshuttle to exit. With this patch, we simply
continue running without writing/reading the cache file in the remote
home directory. This serves as an alternate fix for
pull request #322 which proposed storing the cache file elsewhere.

A list of included changes:

- If we can't read or write the host cache file on the server,
  continue running. Hosts can be collected through the netstat,
  /etc/hosts, etc and the information can be reconstructed each run if
  a cache file isn't available to read. We write a log() message when
  this occurs.

- Add additional types of exceptions to handle.

- Continue even if we cannot read /etc/hosts on the server.

- Update man page to mention the cache file on the remote host.

- Indicate that messages are related to remote host instead of local
  host.

- Add comments and descriptions to the code.
2021-06-02 15:22:04 -04:00
Scott Kuhl
3f201095ea Merge branch 'master' into nat-ipv6 2021-05-30 21:09:32 -04:00
Brian May
1820264dd5
Merge pull request #647 from skuhl/man-page-updates
Update documentation
2021-05-31 07:48:56 +10:00
Scott Kuhl
851b26cb13 Update documentation
The output in the examples provided in the man page hadn't been
updated as sshuttle changed its output over time.

The example of testing sshuttle without a remote host was removed. It
was the first example previously and it is something that is unlikely
users will wish to do.

Also:
 - Update some --help messages.
 - Manpage: Fix a typo.
 - Manpage: Mention that host specified with -r can be an ssh alias.
 - Eliminate variable only used once.
2021-05-29 21:54:47 -04:00
Scott Kuhl
c026a92cad Add IPv6 support to nat (iptables) method.
Adding IPv6 support to the nat method is straightforward after the
previous work to add IPv6 support for nft.
2021-05-29 20:55:48 -04:00
Scott Kuhl
a7df12cd68 Fix --tmark option
Even when --tmark was used, the iptables code always used '1' for the
mark. This patch corrects the problem.

Previously, it wasn't clear if the tmark should be supplied in
hexadecimal or as an integer. This makes it use hexadecimal, checks
that the input is hexadecimal, and updates the associated
documentation.

This patch also makes --ttl information get passed to the firewall in
a way that matches how other information gets passed. The ttl and
tmark information are passed next to each other in many places and
this patch also makes the order consistent.
2021-05-27 21:48:43 -04:00
Kees Hink
0e51da519f Allow comments in configuration file 2021-02-16 07:51:32 +11:00
Kees Hink
a22c453d5e Remove trailing whitespace 2021-02-16 07:51:32 +11:00
Scott Kuhl
97c25e988e
tproxy: Skip firewall chains if packets have local destination. (#578)
If you use the tproxy method with a large subnet (such as 0/0), then
(1) you may not receive UDP packets that sshuttle/tproxy can handle
and (2) you are unable to connect to your machine using an IP that
your computer recognizes as its own.

To resolve those issues, any traffic to an IP that the host knows is
local, does not go through the sshuttle chains.
2021-01-04 09:05:32 +11:00
Samuel Bernardo
76b8b83e22 Add .gitignore .vscode/ path. Resolve the issue #374 adding tproxy mark option to allow different network mapping.
Signed-off-by: Samuel Bernardo <samuel@lip.pt>
2020-12-28 10:20:46 +11:00
Brian May
4a65f97c8b Drop testing of Python 3.5
Due to message from CI:

DEPRECATION: Python 3.5 reached the end of its life on September 13th,
2020. Please upgrade your Python as Python 3.5 is no longer maintained.
pip 21.0 will drop support for Python 3.5 in January 2021. pip 21.0 will
remove support for this functionality.
2020-12-16 20:11:13 +11:00
Scott Kuhl
502960d796 Intercept DNS requests sent by systemd-resolved.
Previously, we would find DNS servers we wish to intercept traffic on
by reading /etc/resolv.conf. On systems using systemd-resolved,
/etc/resolv.conf points to localhost and then systemd-resolved
actually uses the DNS servers listed in
/run/systemd/resolve/resolv.conf. Many programs will route the DNS
traffic through localhost as /etc/resolv.conf indicates and sshuttle
would capture it. However, systemd-resolved also provides other
interfaces for programs to resolve hostnames besides the localhost
server in /etc/resolv.conf.

This patch adds systemd-resolved's servers into the list of DNS
servers when --dns is used.

Note that sshuttle will continue to fail to intercept any traffic sent
to port 853 for DNS over TLS (which systemd-resolved also supports).

For more info, see:
sshuttle issue #535
https://www.freedesktop.org/software/systemd/man/systemd-resolved.service.html
https://github.com/systemd/systemd/issues/6076
2020-10-25 12:29:32 -04:00
Scott Kuhl
c02b93e719 nft IPv6 documentation (and other minor doc updates)
Update docs to indicate that IPv6 is supported with the nft method.

- Adds nft into the requirements.rst file.

- Update description of what happens when a hostname is used in a
  subnet.

- Add ipfw to list of methods.

- Indicate that --auto-nets does not work with IPv6. Previously this
  was only mentioned in tproxy.rst

- Clarify that we try to use "python3" on the server before trying
  "python".
2020-10-22 20:17:09 -04:00
Nicolas Stalder
9d704b3503 Document -s/--subnets option in man page 2020-10-19 13:35:03 +02:00
Leif Naundorf
79181043bc
Add missing package in OpenWRT documentation
The package 'iptables-mod-extra' also needs to be installed
2020-08-10 16:35:05 +02:00
Akimasa Shimobayashi
c0a81353ab
Fix doc about --listen option (#500)
* Can't use this option twice, separate by comma actually.

* Broke the line because it was too long.
2020-08-05 20:28:36 +10:00
Brian May
eb01c0b184
Fix formatting in installation.rst 2020-07-15 08:14:51 +10:00
Chris Burr
5537a90338
Fix formatting typos in usage docs 2020-07-04 12:02:44 +02:00
Joshua Li
61bbbca956 another python 3.5 change 2020-06-10 16:46:52 -07:00
Joshua Li
e56f8f2349 server side is py3.5+ 2020-06-10 16:46:10 -07:00
Brian May
9f27c1943b Updated supported Python versions
* Drop 2.7
* Add 3.7 and 3.8
2020-05-29 07:44:51 +10:00
jtagcat
365d30de14 Add 'My VPN broke and need a solution fast' to the docs. 2020-05-15 07:23:43 +10:00
rjharmon
e3201969b5 systemd integration doc adjustment
* the default NotifyAccess (=main) works now, no need to suggest =all
2020-03-24 16:15:41 +11:00
Brian May
36d34b18da Fix various errors in documentation 2020-02-09 19:45:13 +11:00
Julian Wollrath
3edeb726b8 Simplify nftables based method 2020-02-07 07:53:47 +11:00
William Mantly
69d3f7dc64 Auto sudoers file (#269)
* added sudoers options to command line arguments

* added sudoers options to command line arguments

* template for sudoers file

* Added option for GUI sudo

* added support for GUI sudo

* script for auto adding sudo file

* sudoers auto add works and validates

* small change

* Clean up for CI

* removed code that belongs in another PR

* added path for package bins

* added sudoers bin

* added sudoers-add to setup file

* fixed issue with sudoers bash script

* auto sudoers now works

* added --sudoers-no-modify option

* bin now works with ./run

* removed debug print

* Updated sudoers-add script

* Fixed error passing sudoers config to script

* more dynamic building of sudoers file

* added option to specify sudoers.d file name

* fixed indent issue

* fixed indent issue

* indent issue

* clean up

* formating

* docs

* fix for flags

* Update usage.rst

* removed shell=true

* cleared CI errors

* cleared CI errors

* removed random

* cleared linter issue

* cleared linter issue

* cleared linter issue

* updated sudoers-add script

* safer temp file

* moved bin directory

* moved bin directory

* removed print

* fixed spacing issue

* sudoers commands must only containe upper case latters
2019-12-13 08:15:31 +11:00
Joseph Barker
23516ebd71 Add option for latency control buffer size
This commit resolves #297, allowing the buffers used in the latency control to be changed with a command line option ‘--latency-buffer-size’.

We do this by changing a module variable in ssnet.py (similar to the MAX_CHANNEL variable) which seems to be the simplest code change without extensive hacking.

Documentation is also updated.
2019-11-08 08:01:52 +11:00
unl89
7ebff92637 docs: openwrt 2019-09-22 10:34:27 +10:00
André Draszik
531a17c151 docs: document --ns-hosts --to-ns and update --dns
--ns-hosts is available since commit d2ee34d71c
("dns: Added --ns-hosts to tunnel only some requests")
(released as v0.72), but was never documented.

--to-ns is available since commit be559fc78b
("Fix case where there is no --dns.") after several
bugfixes, released as v0.78.4, but was never
documented.
2018-12-29 15:02:18 +11:00
David Landry
0b1a260436 Fix typo in docs 2018-12-03 14:34:42 +11:00