Skip to content

Commit

Permalink
Merge remote-tracking branch 'origin/trunk' into socket-authenticator…
Browse files Browse the repository at this point in the history
…-option
  • Loading branch information
gkc committed Jan 20, 2024
2 parents a2e5b44 + 398342c commit 1f8052c
Show file tree
Hide file tree
Showing 112 changed files with 1,601 additions and 1,220 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/dependency-review.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,4 +24,4 @@ jobs:
- name: 'Checkout Repository'
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: 'Dependency Review'
uses: actions/dependency-review-action@c74b580d73376b7750d3d2a50bfb8adc2c937507 # v3.1.5
uses: actions/dependency-review-action@4901385134134e04cec5fbe5ddfe3b2c5bd5d976 # v4.0.0
4 changes: 2 additions & 2 deletions .github/workflows/multibuild.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ jobs:
- run: cp -r bundles/${{ matrix.bundle }}/* sshnp/
- run: cp LICENSE sshnp
- run: tar -cvzf tarball/${{ matrix.output-name }}.tgz sshnp
- uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595 # v4.1.0
- uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0
with:
name: ${{ matrix.output-name }}-upload
path: ./packages/dart/sshnoports/tarball/${{ matrix.output-name }}.tgz
Expand Down Expand Up @@ -96,7 +96,7 @@ jobs:
--platform ${{ matrix.platform }} -o type=tar,dest=bins.tar .
- run: mkdir tarballs
- run: tar -xvf bins.tar -C tarballs
- uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595 # v4.1.0
- uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0
with:
name: ${{ matrix.output-name }}-upload
path: ./packages/dart/sshnoports/tarballs/${{ matrix.output-name }}.tgz
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/python-sshnpd-build-publish.yml
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ jobs:
cp -r dist/ $GITHUB_WORKSPACE
- name: Store the distribution packages
uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595 # v4.1.0
uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0
with:
name: sshnpd-python-package
path: dist/
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/scorecards.yml
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ jobs:
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595 # v4.1.0
uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0
with:
name: SARIF file
path: results.sarif
Expand Down
23 changes: 0 additions & 23 deletions docs/README (1).md

This file was deleted.

152 changes: 12 additions & 140 deletions docs/README.md
Original file line number Diff line number Diff line change
@@ -1,147 +1,19 @@
# Copy of Under The Hood
---
description: Welcome to the No Ports documentation site.
---

**Note**: This document describes version 4.0.0-rc.2 or later. Prior versions used a different method of forming the connection.
# 🚫 No Ports Documentation

## Overview
## SSH No Ports

There are three atSigns involved - one for each of
SSH No Ports is the flagship product in the No Ports suite. It enables you to SSH to any device with no open listening ports, making your devices reachable while eliminating network attack surfaces and reducing administrative overhead!

* the noports daemon program (`sshnpd`) which runs on the device you want to ssh to
* the noports client program (`sshnp`) which you run on the device you want to ssh from
* the noports tcp rendezvous program (`sshrvd`)
<table data-view="cards"><thead><tr><th data-card-target data-type="content-ref"></th></tr></thead><tbody><tr><td><a href="ssh-no-ports/">ssh-no-ports</a></td></tr><tr><td><a href="ssh-no-ports/guides/installation-guide/">installation-guide</a></td></tr><tr><td><a href="ssh-no-ports/guides/upgrade-guide/">upgrade-guide</a></td></tr><tr><td><a href="ssh-no-ports/guides/usage-guide/">usage-guide</a></td></tr><tr><td><a href="ssh-no-ports/faq-coming-soon.md">faq-coming-soon.md</a></td></tr></tbody></table>

The programs communicate via the atProtocol and the atClient SDKs; as a result, the payloads of the messages the programs send to each other are all end-to-end encrypted.
## Learn More about No Ports

In brief
If you would like to learn more about how everything works, see our developer notes section.

* The client (`sshnp`) creates a unique guid for the session
* and sends a request notification to the `sshrvd` for a port1/port2 pair for this sessionId
* The sshrvd
* finds a pair of available ports
* opens server sockets for both of them
* **Note**: rvd will allow just a single client socket to connect to each server socket
* and will bridge them together
* sends response to the client
* The client
* receives the response notification from sshrvd (rv\_host, rv\_port\_1, rv\_port\_2)
* and sends a request notification to the `sshnpd` including the sessionId and the rv\_host:rv\_port\_1
* The daemon (`sshnpd`)
* opens a socket to the rv\_host:rv\_port\_1
* and opens a socket to its local sshd port
* and bridges the sockets together
* and sends a response notification to the `sshnp` client
* The client
* issues an ssh command like this to set up the ssh tunnel and do a local port forwarding

```
/usr/bin/ssh [email protected] -p 40189 -i /Users/gary/.ssh/noports \
-L 58358:localhost:22 -t -t -f \
-o StrictHostKeyChecking=accept-new -o IdentitiesOnly=yes \
-o BatchMode=yes -o ExitOnForwardFailure=yes \
sleep 15
```
* The client displays a message to the user that they may now `ssh -p $local_port $username@localhost`, i.e. `ssh -p 58358 gary@localhost` in the example above, and exits
This high-level flow is visualized in the diagrams below.
**NB** Requests from unauthorized client atSigns are ignored. Note that one may also completely prevent requests from any other atSigns ever even reaching the daemon by using the atProtocol's `config:allow` list feature.
> In the personal edition of noports, a daemon may have only a single authorized client atSign.
>
> The Team and Enterprise editions will allow for multiple authorized client atSigns, controlled not by the daemon but by a separate noports authorization controller process, with its own atSign.
### Overview diagram
![](.gitbook/assets/overview.png)
### Control plane
In the following sequence diagram, atServer address lookup flows, authentication flows, key exchange flows, precise encryption mechanics and notification transmission flows are not covered in detail; those details are provided in the links provided in the "Further Details" section below.
Since the full details are provided in those other links, the `client_1 -> atServer_1 -> atServer_2 -> client_2` message flows are abbreviated to `@atSign_1 -> @atSign_2` in the sequence diagram. Thus, for example, `sshnp (@client)` encapsulates both the sshnp program and the sshnp atServer
```mermaid
sequenceDiagram
participant C as sshnp (@client)
participant R as sshrvd (@rv)
participant D as sshnpd (@device)
note over R,D: service startups
D->D: Authentication
D->D: Start monitor <br> (notification listener)
R->R: Authentication
R->R: Start monitor <br> (notification listener)
note left of C: user runs the sshnp program
C->C: Authentication
C->C: Start monitor <br> (notification listener)
note left of C: sshnp sends session request <br> notification to sshrvd
C->C: Create sessionId guid to send to @rv
C->C: Encrypt message to send to @rv
C->>R: Send notification to @rv <br> requesting host and port
R->R: Decrypt request payload
R->R: Find two unused ports
R->R: Create an isolate <br> which creates server sockets <br> on the ports, waits for connections, <br> and joins their i/o streams
R->R: Create and encrypt <br> response message containing <br> sessionId, host, port_1, port_2
R->>C: Send response notification <br> to @client
C->C: Create and encrypt request message <br> to send to @device (sessionId, host, port1)
C->>D: Send request to sshnpd
D->>D: SPAWN an sshrv process
D->>R: (Spawned) Open socket $npd_to_rv to host:port_1
D->>D: (Spawned) Open socket $npd_to_sshd to localhost:22
D->>D: (Spawned) Join $npd_to_rv and $npd_to_sshd <br> i/o streams, and vice versa
D->>C: Send "connected" response notification if spawned successfully
C->>C: Find an available $local_port<br>or use one supplied by the user via the command line
C->>C: Spawn an initial ssh command to set up the local port forwarding tunnel
C->>C: If spawned successfully, Write to stdout: "ssh -p $local_port $username@localhost"
```

### Data plane

Once the interactions above have completed

* the sshnpd nor the sshnp programs are no longer involved
* there is a new sshrv process running on the device host which pipes i/o between device port 22 and $rv\_host:$rv\_port\_1
* there is an ssh process running on the client host which provides the local port forwarding tunnel
* User may now type "ssh -p $local\_port username@localhost" with traffic flowing
* client ssh program <===>
* $client\_localhost:$local\_port <===> bridged by client-side ssh tunnel to
* $rv\_host:$rv\_port\_2 <===> bridged by sshrvd to
* $rv\_host:$rv\_port\_1 <===> bridged by device-side sshrv to
* $device\_host:22 <===>
* device sshd program

```mermaid
sequenceDiagram
participant ssh
participant clp as client local port
participant rvp1 as rvd port 1
participant rvp2 as rvd port 2
participant dp22 as device port 22
participant sshd
note over ssh,clp: client host
note over rvp1, rvp2: rvd host
note over dp22, sshd: device host
note over clp, rvp1: Bridged by <br> client ssh local port forward
note over rvp1, rvp2: Bridged by <br> rvd
note over rvp2, dp22: Bridged by <br> device sshrv
ssh ->> sshd: packets from ssh to sshd
sshd ->> ssh: packets from sshd to ssh
```

## Further Details

In the sections above, we referred to "authentication", "sending notifications" and "receiving notifications", and we made the statement that "the payloads of the messages the programs send to each other are all end-to-end encrypted"

Here are some links to detailed diagrams covering

* [how atClients authenticate to their atServers](https://github.com/atsign-foundation/at\_protocol/blob/trunk/decisions/2023-01-pkam-per-app-and-device.md#appendix---current-flows)
* [how encrypted data is exchanged](https://github.com/atsign-foundation/at\_protocol/blob/trunk/usage-examples/how-to-exchange-encrypted-data.md) (including how keys are exchanged)
* [how notifications work](https://github.com/atsign-foundation/at\_protocol/blob/trunk/usage-examples/how-notifications-work.md)
{% content-ref url="developer-notes/" %}
[developer-notes](developer-notes/)
{% endcontent-ref %}
32 changes: 20 additions & 12 deletions docs/SUMMARY.md
Original file line number Diff line number Diff line change
@@ -1,14 +1,22 @@
# Table of contents

* [Copy of Under The Hood](README.md)
* [No Ports Docs](<README (1).md>)

## SSH No Ports

* [Overview](ssh-no-ports/overview.md)
* [Installation Guide](ssh-no-ports/installation-guide.md)
* [Usage Guide](ssh-no-ports/usage-guide.md)

## Developer Notes <a href="#dev-notes" id="dev-notes"></a>

* [Under The Hood](dev-notes/underthehood.md)
* [🚫 No Ports Documentation](README.md)
* [⌨ SSH No Ports](ssh-no-ports/README.md)
* [🔢 Guides](ssh-no-ports/guides/README.md)
* [💽 Installation Guide](ssh-no-ports/guides/installation-guide/README.md)
* [👩💻 Client installation (sshnp)](ssh-no-ports/guides/installation-guide/client-installation-sshnp.md)
* [🖥 Device installation (sshnpd)](ssh-no-ports/guides/installation-guide/device-installation-sshnpd.md)
* [📌 Activate an address (a.k.a. atSign)](ssh-no-ports/guides/installation-guide/activate-an-address-a.k.a.-atsign.md)
* [👨💻 Usage Guide](ssh-no-ports/guides/usage-guide/README.md)
* [💻 Basic Usage](ssh-no-ports/guides/usage-guide/basic-usage.md)
* [🌐 Webserver](ssh-no-ports/guides/usage-guide/webserver.md)
* [🗃 SFTP](ssh-no-ports/guides/usage-guide/sftp.md)
* [🖥 RDP](ssh-no-ports/guides/usage-guide/rdp.md)
* [⬆ Upgrade Guide](ssh-no-ports/guides/upgrade-guide/README.md)
* [👩💻 Client Upgrade (sshnp)](ssh-no-ports/guides/upgrade-guide/client-upgrade-sshnp.md)
* [💽 Device Upgrade (sshnpd)](ssh-no-ports/guides/upgrade-guide/device-upgrade-sshnpd.md)
* [❓ FAQ \[Coming soon\]](ssh-no-ports/faq-coming-soon.md)
* [📔 Developer Notes](developer-notes/README.md)
* [Under The Hood](developer-notes/underthehood.md)
* [noports.com](https://noports.com)
* [No Ports Address Portal](https://my.noports.com/no-ports/)
3 changes: 3 additions & 0 deletions docs/developer-notes/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# 📔 Developer Notes

The "Developer Notes" section is maintained on a best effort basis, with the intent of making the architecture designs and details available alongside the open source code. Please see the rest of the docs or [file an issue on GitHub](https://github.com/atsign-foundation/noports/issues/new/choose) seeking clarification.
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
# Under The Hood

**Note**: This document describes version 4.0.0-rc.2 or later. Prior versions used a different method of forming the connection.
{% hint style="info" %}
This document describes version 4.0.0-rc.2. Other versions use a different method of forming the connection.
{% endhint %}

## Overview

Expand Down
29 changes: 29 additions & 0 deletions docs/ssh-no-ports/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
# ⌨ SSH No Ports

## Overview

SSH No Ports is the flagship product in the No Ports suite. It enables you to SSH to any device with no open listening ports, making your devices reachable while eliminating network attack surfaces and reducing administrative overhead!

## Information

See [here](https://www.noports.com/sshnp-how-it-works) for more information on how SSH No Ports works.

If you have a specific questions see the [FAQ](faq-coming-soon.md) or reach out to use using one of the following options:

* Create a new [GitHub issue](https://github.com/atsign-foundation/noports/issues/new/choose)
* Join [our discord](https://discord.atsign.com) and post to our `📑|forum` channel
* [Contact support via email](mailto:[email protected])

## Guides

### Installation

<table data-card-size="large" data-column-title-hidden data-view="cards"><thead><tr><th data-card-target data-type="content-ref"></th></tr></thead><tbody><tr><td><a href="guides/installation-guide/client-installation-sshnp.md">client-installation-sshnp.md</a></td></tr><tr><td><a href="guides/installation-guide/device-installation-sshnpd.md">device-installation-sshnpd.md</a></td></tr></tbody></table>

### Usage

<table data-card-size="large" data-column-title-hidden data-view="cards"><thead><tr><th data-card-target data-type="content-ref"></th></tr></thead><tbody><tr><td><a href="guides/usage-guide/basic-usage.md">basic-usage.md</a></td></tr><tr><td><a href="guides/usage-guide/webserver.md">webserver.md</a></td></tr><tr><td><a href="guides/usage-guide/sftp.md">sftp.md</a></td></tr><tr><td><a href="guides/usage-guide/rdp.md">rdp.md</a></td></tr></tbody></table>

### Upgrade

<table data-card-size="large" data-column-title-hidden data-view="cards"><thead><tr><th data-card-target data-type="content-ref"></th></tr></thead><tbody><tr><td><a href="guides/upgrade-guide/client-upgrade-sshnp.md">client-upgrade-sshnp.md</a></td></tr><tr><td><a href="guides/upgrade-guide/device-upgrade-sshnpd.md">device-upgrade-sshnpd.md</a></td></tr></tbody></table>
9 changes: 9 additions & 0 deletions docs/ssh-no-ports/faq-coming-soon.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
# ❓ FAQ \[Coming soon]

## Coming soon!

If you have a question that needs answering please do one of the following:

* Create a new [GitHub issue](https://github.com/atsign-foundation/noports/issues/new/choose)
* Join [our discord](https://discord.atsign.com) and post to our `📑|forum` channel
* [Contact support via email](mailto:[email protected])
13 changes: 13 additions & 0 deletions docs/ssh-no-ports/guides/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# 🔢 Guides

{% content-ref url="installation-guide/" %}
[installation-guide](installation-guide/)
{% endcontent-ref %}

{% content-ref url="usage-guide/" %}
[usage-guide](usage-guide/)
{% endcontent-ref %}

{% content-ref url="upgrade-guide/" %}
[upgrade-guide](upgrade-guide/)
{% endcontent-ref %}
21 changes: 21 additions & 0 deletions docs/ssh-no-ports/guides/installation-guide/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# 💽 Installation Guide

## Overview

The installation guide is broken up into three parts. You may start with either the [client installation](client-installation-sshnp.md), or the [device installation](device-installation-sshnpd.md). The [activate an address](activate-an-address-a.k.a.-atsign.md) guide is a supplementary guide which is referred to by both the client and device installation guides.

## Guides

{% content-ref url="client-installation-sshnp.md" %}
[client-installation-sshnp.md](client-installation-sshnp.md)
{% endcontent-ref %}

{% content-ref url="device-installation-sshnpd.md" %}
[device-installation-sshnpd.md](device-installation-sshnpd.md)
{% endcontent-ref %}

### Supplementary Guides

{% content-ref url="activate-an-address-a.k.a.-atsign.md" %}
[activate-an-address-a.k.a.-atsign.md](activate-an-address-a.k.a.-atsign.md)
{% endcontent-ref %}
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# 📌 Activate an address (a.k.a. atSign)

## Overview

Both sshnp and sshnpd require activated noports addresses, also known as atSigns.
Loading

0 comments on commit 1f8052c

Please sign in to comment.