extern/sshuttle
1
1
Fork 0
mirror of https://github.com/sshuttle/sshuttle.git synced 2024-11-24 17:04:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
Transparent proxy server that works as a poor man's VPN. Forwards over ssh. Doesn't require admin. Works with Linux and MacOS. Supports DNS tunneling.
946 Commits 9 Branches 50 Tags 3.6 MiB
Python 95.9%
Shell 3.1%
Nix 0.5%
Dockerfile 0.5%
5719d424de
Go to file
Scott Kuhl 5719d424de Remove --sudoers, improve --sudoers-no-modify 
Allowing sshuttle to add/overwrite sudoers configuration file at
locations of the users' choosing adds complexity to the code compared
to asking users to install the sudo configuration themselves. It
requires sshuttle to make decisions about how much effort we put into
ensuring that the file is written to a proper location. The current
method relies on the 'realpath' program which is not installed on
MacOS by default.

There are serious problems when the sudo configuration is used to
allow a user to *only* run sshuttle as root (with or without a
password). First, that user could then use the --sudoers option to
give other users sudo privileges. Second, the user can run any command
as root because sshuttle accepts a --ssh-cmd parameter which allows a
user to specify a program that sshuttle should run. There may also be
additional issues that we have not identified.

By removing the --sudoers option (and the associated sudoers-add
script), this reduces the problems above. This code keeps the
--sudoers-no-modify feature which prints a configuration to stdout for
the user to install. It includes a clear warning about how --ssh-cmd
could potentially be abused to run other programs.

A warning about some of these issues has been in sshuttle since
version 1.1.0. This commit also adds that warning to more locations in
the documentation.
2022-03-13 09:29:56 +11:00
.github Bump actions/checkout from 2.4.0 to 3 2022-03-02 10:10:13 +00:00
docs Remove --sudoers, improve --sudoers-no-modify 2022-03-13 09:29:56 +11:00
sshuttle Remove --sudoers, improve --sudoers-no-modify 2022-03-13 09:29:56 +11:00
tests test a wildcarded host acceptable 2022-02-10 23:32:43 +09:00
.gitignore Add .gitignore .vscode/ path. Resolve the issue #374 adding tproxy mark option to allow different network mapping. 2020-12-28 10:20:46 +11:00
.prospector.yml Fixes some style issues and minor bugs 2017-11-13 11:58:43 +11:00
.readthedocs.yaml Add readthedocs config 2022-01-04 11:38:07 +11:00
bandit.yml updated bandit config 2018-10-17 20:52:04 +11:00
CHANGES.rst Move release notes to github 2022-01-28 09:27:47 +11:00
LICENSE Change license text to LGPL-2.1 2020-08-26 12:25:36 -04:00
MANIFEST.in Fix error in requirements.rst 2017-07-09 09:08:48 +10:00
README.rst Trim excess whitespace 2021-09-22 12:36:36 +00:00
requirements-tests.txt Bump pytest from 7.0.0 to 7.0.1 2022-02-14 10:13:35 +00:00
requirements.txt Revert "Bump sphinx from 4.3.2 to 4.4.0" 2022-01-22 09:44:59 +11:00
run Fix shellcheck warnings 2021-09-22 12:36:27 +00:00
setup.cfg define flake8 max line length longer (79 to 128) 2022-02-10 08:41:22 +09:00
setup.py Remove --sudoers, improve --sudoers-no-modify 2022-03-13 09:29:56 +11:00
tox.ini remove py35 from tox.ini 2021-01-17 15:42:24 +11:00

README.rst 

sshuttle: where transparent proxy meets VPN meets ssh
=====================================================

As far as I know, sshuttle is the only program that solves the following
common case:

- Your client machine (or router) is Linux, FreeBSD, or MacOS.

- You have access to a remote network via ssh.

- You don't necessarily have admin access on the remote network.

- The remote network has no VPN, or only stupid/complex VPN
  protocols (IPsec, PPTP, etc). Or maybe you *are* the
  admin and you just got frustrated with the awful state of
  VPN tools.

- You don't want to create an ssh port forward for every
  single host/port on the remote network.

- You hate openssh's port forwarding because it's randomly
  slow and/or stupid.

- You can't use openssh's PermitTunnel feature because
  it's disabled by default on openssh servers; plus it does
  TCP-over-TCP, which has `terrible performance`_.

.. _terrible performance: https://sshuttle.readthedocs.io/en/stable/how-it-works.html

Obtaining sshuttle
------------------

- Ubuntu 16.04 or later::

      apt-get install sshuttle

- Debian stretch or later::

      apt-get install sshuttle

- Arch Linux::

      pacman -S sshuttle

- Fedora::

      dnf install sshuttle

- openSUSE::

      zypper in sshuttle

- Gentoo::

      emerge -av net-proxy/sshuttle

- NixOS::

      nix-env -iA nixos.sshuttle

- From PyPI::

      sudo pip install sshuttle

- Clone::

      git clone https://github.com/sshuttle/sshuttle.git
      cd sshuttle
      sudo ./setup.py install

- FreeBSD::

      # ports
      cd /usr/ports/net/py-sshuttle && make install clean
      # pkg
      pkg install py36-sshuttle

- macOS, via MacPorts::

      sudo port selfupdate
      sudo port install sshuttle

It is also possible to install into a virtualenv as a non-root user.

- From PyPI::

      virtualenv -p python3 /tmp/sshuttle
      . /tmp/sshuttle/bin/activate
      pip install sshuttle

- Clone::

      virtualenv -p python3 /tmp/sshuttle
      . /tmp/sshuttle/bin/activate
      git clone https://github.com/sshuttle/sshuttle.git
      cd sshuttle
      ./setup.py install

- Homebrew::

      brew install sshuttle

- Nix::

      nix-env -iA nixpkgs.sshuttle


Documentation
-------------
The documentation for the stable version is available at:
https://sshuttle.readthedocs.org/

The documentation for the latest development version is available at:
https://sshuttle.readthedocs.org/en/latest/


Running as a service
--------------------
Sshuttle can also be run as a service and configured using a config management system:
https://medium.com/@mike.reider/using-sshuttle-as-a-service-bec2684a65fe