Nuttssh is a small Python-based SSH server that internally connects forwarded ports between different SSH clients. It was designed to work as a way to connect to machines running behind a NAT, by letting them initiate an outgoing SSH connection and then piggy-back a reverse SSH connection to access the machine. When used like that, Nuttssh acts somewhat as a very lightweight VPN server.
More generally, nuttsh can be used to let SSH clients request opening a listening port, which results in an internal virtual port being opened (no actual TCP ports on the server are opened). Then another SSH client can request to connect to that listening port, using a configurable name to identify the client whose port to connect to.
This works very similar to using a normal SSH server with port forwarding, except that when using Nuttssh:
- Not actual TCP ports are opened on the server.
- Clients do not need to actually authenticate as a system user, Nuttssh handles its own key authentication.
- When multiple clients request a listening port, they can use the same port number, since their hostname will be used to select the right one. This removes the need to ensure that each listening client chooses a unique port number.
- When connecting to a listening port, a hostname and the regular port number (e.g. 22 for SSH) can be used, rather than having to keep track of which port number maps to which client.
To circumvent the downsides of normal SSH port forwarding (in particular the last two), Nuttssh was created. It replaces the central server, while still allowing normal SSH clients to be used.
Nuttssh still young, but should be usable already. There is still plenty of room for improvement, especially with regard to configurability.
-
(Nuttssh) server: The central server that accepts connections from various clients, and connects them together.
-
Listening client: A client that connects to the Nuttssh server and requests listening ports. This is not called a "listener", to prevent confusing with the
SSHListener
class used in AsyncSSH. -
Initiating client or initiator: A client that connects to the Nuttssh server and requests a connection to a listening client.
-
Circuit: the virtual connection between two clients through the Nuttssh server. Called a circuit to disambiguate from the normal connection between the client and the Nuttssh server.
Note that a client is typically either listening or initiating, but given sufficient permissions, a client could also act as both.
The above terminology is not used everywhere yet, in some cases a listening client is called a slave and an initiating client is called a master (coming from the original usecase of remote control).
The easiest way to run Nuttsh is to install it using pip. E.g.:
pip3 install nuttsh
Optionally add --user
to install for your user only (without
requiring root), or run inside an activated virtualenv.
Then, to run the nuttsh server:
python3 -m nuttsh
Alternatively, you can also clone this repository, and run python3 -m nuttsh
from the root of the repository, without requiring installation.
Note that this uses pip3
and python3
to get the Python 3 versions. If this
is the default on your system (or you are using from a virtualenv containing
Python 3), you might also be able to just use pip
and python
instead.
Currently, no configuration file or options is supported. There are some
constants in the top of nuttssh/server.py
that hardcode nuttsh to listen on
any interface, on port 1878 and set the name of the ssh_host_key
and
authorized_keys
file.
The default port is chosen to be a non-standard port, to prevent conflicts with an existing SSH server, and to reduce noise from SSH brute force attacks. The port chosen is based on the year that the Nutt sisters became the first female telephone operators in 1878.
To allow starting nuttssh
, an ssh host key must be present. This should be
put into a file called ssh_host_key
in the current directory. To generate one
using OpenSSH's ssh-keygen
, run:
ssh-keygen -t rsa -b 2048 -P "" -f ssh_host_key
This generates a 2048-bit RSA key without a passphrase.
To control access to the nuttsh server, an authorized_keys
file must be
present (without it, nuttsh will refuse to start). This file uses the same
format as OpenSSH's authorized_keys
file. Each line must contain a single
public key (copied from e.g. the id_rsa.pub
file). In front of the public
key, options can be added.
For example, a file could look like this (keys are truncated for the example):
access="listen" ssh-rsa AAAAB3NzaC1yc2EAAAADAJnmVYPYe94v user@host
access="listen",access="initiate",from="192.168.1.0/24" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA+ user@host
This consists of a comma-separated list of options, a keytype, the actual key and a comment.
Currently, the following options are supported:
-
access
to specify the permissions for the client. Supported values arelisten
(to allow opening listening ports) andinitiate
(to allow connecting to listening ports). This option can be specified more than once, to give more than one type of permission. -
from
to limit connections to specific hosts. The value is a comma-separated list of patterns. Each pattern can be a glob pattern (using*
and?
, e.g."*.mydomain.tld"
) matched against the address and hostname, or a CIDR-style address and mask (e.g."192.168.1.0/24"
). A connection is allowed if it matches at least one of the patterns in the list. This option can be specified multiple times, in which case a connection must match (one element of) eachfrom
option separately.See the OpenSSH
authorized_keys
manpage for more info on this option. -
hostname
andalias
allow configuring the name(s) that can be used to connect to this client. See below for details.
Note that when a client has multiple keys, the first one offered by the client
that is present in the authorized_keys
file is used, even when another is
also present and has more permissions or other options.
Each connected client has a hostname, and an optional list of alias names. The hostname is used in various places to refer to a client, while both the hostname and the aliases can be used to select a listening client to connect to.
By default, the username specified by the client is used as its hostname (this
looks a bit like a hack, but it seems like the cleanest approach). Using the
hostname
option in authorized_keys
, this hostname can be overridden for a
given connection. Using the alias
option, additional alias names can be
specified (the option must be specified multiple times for multiple aliases).
When multiple listening clients each claim the same name (hostname or alias),
the last client to connect will be reached using that name. To reach the other
clients, you can add an index to the hostname. E.g. when two listening clients
both use test
as their hostname, you can connect to the most recent one using
test
(or test~0
) and the older one using test~1
.
Connections to the Nuttssh server use the normal SSH protocol, so can use a regular SSH client. To open up a listening port, the normal port forwarding options can be used. For example:
ssh [email protected] -p 1878 -R 22:localhost:22 -N
This connects to a Nuttssh server running on nuttsh.example.org
, port 1878.
Our hostname (myhost
) is passed as the username. No shell or other remote
command is run (-N
), but a (virtual) port 22 is opened in the Nuttssh server.
Any incoming circuits on that port are forwarded through the SSH connection and
connected to localhost:22 (in other words, our local port 22 is exposed through
Nuttssh).
Typically you want a listening client to be continuously connected (and
reconnect on errors). This is easy using autossh
, just replace ssh
with
autossh
, and that will take care of autoconnecting.
By default, autossh
uses additional port forwards to test connectivity, which
do not work with Nuttssh so these should be disabled in favor of letting SSH
itself do keepalive. Additionally, when running unattended, autossh
should be
told to always keep retrying, even on startup errors.
The above examples all assume that the listening clients requests a listening
port 22 and forwards any incoming circuits to localhost:22
, which is probably
the common case. However, it is also possible to forward to a different local
host or port by specifying them with the -R
option.
For example:
ssh [email protected] -p 1878 -R 80:localhost:8080 -N
This requests a virtual port 80 on the Nuttssh server and connects any incoming
circuits to port 8080 on localhost. Note that this is completely invisible to
the initiating clients, since these only need to specify the hostname
(myhost
) and virtual listening port (80).
Initiating clients also use the plain SSH protocol and can use a normal SSH client. For example, to set up an SSH connection to the listening client from the previous example, using a circuit through the NuttSSH server:
ssh -J nuttsh.example.org:1878 myhost
This instructs ssh to first connect to nuttssh.example.org
, port 1878 and
then inside that connection, ask the Nuttssh server to set up a circuit
(tunneled connection) to myhost
, port 22 (not specified explicitly). This
hostname and port combination is then matched by the Nuttsh server to the
previously connected listening client and the circuit is routed to that client.
Finally, the listening client then completes the circuit by locally connecting
to its own SSH port, as requested by the localhost:22
part in its -R
option.
This makes use of the SSH -J
option, using the Nuttssh as a jump host. This
is convenient for routing SSH connections through a circuit, but does not work
for other kinds of connections. Fortunately, ssh allows other ways to set up
these circuit connections as well.
Note that this makes two SSH connections, one to the Nuttsh server and one to the listening client. This also means that authentication must happen twice.
You can also ask SSH to open a local listening port, and create a circuit for each incoming connection on that port. For example:
ssh -L 22:myhost:22 nuttsh.example.org -p 1878 -N
Opens up port 22 locally, and forwards any connections through a circuit to
port 22 on myhost
. Again -N
is specified to prevent trying to execute a
remote shell or command.
Note that more than one circuit can be created in this way, each of which will be routed through the same SSH connection to the Nuttssh server.
SSH can also forward data on its stdin and stdout streams into a circuit. For example:
ssh -W myhost:22 nuttsh.example.org -p 1878
This opens a circuit to myhost
on port 22, and connects it to the stdin and
stdout of the local ssh client. The -N
option is implied by -W
, so does
need to be separately specified.
SSH supports exposing a SOCKS proxy. This proxy is implemented completely in the local SSH client, and allows (local) programs, such as a webbrowser, to route all of their traffic through the proxy. In this case, this means all connections will be made through circuits (and thus connections can be made to all listening hosts, but not other hosts).
To set this up, run:
ssh -D 3128 nuttsh.example.org -p 1878 -N
This instructs ssh to open up a SOCKS proxy port on local port 3128, which can then be used by other programs.
Note that this setup requires the client to support SOCKS v5 and do name resolution through the proxy (e.g. Firefox has a "Proxy DNS when using SOCKS v5" optoin for this). Without this (and with SOCKS v4), names are locally resolved (which will fail) and only the resulting IP address is included in the proxy request.
All of the above mentioned ssh options (except -N
it seems) can also be
configured through SSH configuration file options, so you can define some
presets and apply them by just passing a hostname to ssh. See the ssh_config
manpage for more info.
This is an open project, and contributions are welcomed. For bug reports, feature suggestions and questions, please use the github issue tracker. To contribute patches, use github pull requests.
When contributing patches, make sure to provide good quality contributions. In particular, code style should be consistent, commits should be cleanly separated with a single logical change per commit and commit messages should be clear. In other words, make sure the code and commit history is easy to read and review. Additionally, please explicitly state that you make your patch available under the MIT license.
To check the coding style of the code, the flake8 tool is used. As a
convenience, a Makefile
is provided that allows running make check
to run
all checks (currently only flake8). This should not return any errors after any
commit, so make sure to run it regularly. To fix import sorting errors, run
make sort
.
Nuttssh was written by Matthijs Kooijman. Its sources, as well as the
accompanying documentation and other files in this repository are available
under the MIT license. See the LICENSE
file for the full license text.
Nuttssh was originally created for the Meetjestad! project, to provide lightweight remote control for LoRa gateways spread throughout the city on varying internet connections (usually not publically reachable due to NAT). After some initial experiments with a reverse SSH connection and SSH channel multiplexing (which worked, but resulted in fragile code), the current approach of using port forwards was implemented. For this, some inspiration was taking from ssh-proxy, which also uses remote port forwarding (but uses key fingerprints to identify clients, and probably predates the SSH "jump host" feature).
Since how Nuttssh works seems a bit similar to the way telephone switchboards used to work years ago, Nuttssh is named after Emma & Stella Nutt, which were the first two female telephone switchboard operators. The name "circuit" is also taken from telephone jargon.