TOR class to allow remote SSH access over deep networks #146
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
This probably needs docs and maybe a built-in way to enable |
This class configures an onion service to access the SSH server over
Tor. This is useful when you have a box behind NAT or some firewall
that is broken or unknown, and you need to get a rescue shell on the
host.
With this, you give an operator a thumb drive, who only needs to
figure out how to boot into GRML, and then after a while you get a
shell, pretty much regardless of where the box is.
This is not enabled by default, naturally, otherwise the secret key
would leak in default GRML builds: this is solely designed to be run
in an ad-hoc, one-time fashion. It also generates the SSH keys for the
same reason: those are shown in the build logs and can be used to
authenticate the remote host (a redundant measure to the onion service
name, of course).
I also enable `DEFAULT_BOOT_OPTIONS=ssh` in my builds, but that hasn't
been done here (although maybe it's possible to enable that in the
class? to be investigated).
Finally, another shim is required here to inject a valid SSH public
key in the image, so you can login over SSH. In my case, I have an
extra CLASS that only has this one script which does:
gpg --export-ssh-key [email protected] | tee -a $target/root/.ssh/authorized_keys
This could also be folded in the TOR class, but I'm not sure how to do
variables yet, so that's not yet standardized.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This class configures an onion service to access the SSH server over Tor. This is useful when you have a box behind NAT or some firewall that is broken or unknown, and you need to get a rescue shell on the host.
With this, you give an operator a thumb drive, who only needs to figure out how to boot into GRML, and then after a while you get a shell, pretty much regardless of where the box is.
This is not enabled by default, naturally, otherwise the secret key would leak in default GRML builds: this is solely designed to be run in an ad-hoc, one-time fashion. It also generates the SSH keys for the same reason: those are shown in the build logs and can be used to authenticate the remote host (a redundant measure to the onion service name, of course).
I also enable
DEFAULT_BOOT_OPTIONS=sshin my builds, but that hasn't been done here (although maybe it's possible to enable that in the class? to be investigated).Finally, another shim is required here to inject a valid SSH public key in the image, so you can login over SSH. In my case, I have an extra CLASS that only has this one script which does:
This could also be folded in the TOR class, but I'm not sure how to do variables yet, so that's not yet standardized.