-
Notifications
You must be signed in to change notification settings - Fork 15
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge remote-tracking branch 'origin/trunk' into socket-authenticator…
…-option
- Loading branch information
Showing
112 changed files
with
1,601 additions
and
1,220 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,147 +1,19 @@ | ||
# Copy of Under The Hood | ||
--- | ||
description: Welcome to the No Ports documentation site. | ||
--- | ||
|
||
**Note**: This document describes version 4.0.0-rc.2 or later. Prior versions used a different method of forming the connection. | ||
# 🚫 No Ports Documentation | ||
|
||
## Overview | ||
## SSH No Ports | ||
|
||
There are three atSigns involved - one for each of | ||
SSH No Ports is the flagship product in the No Ports suite. It enables you to SSH to any device with no open listening ports, making your devices reachable while eliminating network attack surfaces and reducing administrative overhead! | ||
|
||
* the noports daemon program (`sshnpd`) which runs on the device you want to ssh to | ||
* the noports client program (`sshnp`) which you run on the device you want to ssh from | ||
* the noports tcp rendezvous program (`sshrvd`) | ||
<table data-view="cards"><thead><tr><th data-card-target data-type="content-ref"></th></tr></thead><tbody><tr><td><a href="ssh-no-ports/">ssh-no-ports</a></td></tr><tr><td><a href="ssh-no-ports/guides/installation-guide/">installation-guide</a></td></tr><tr><td><a href="ssh-no-ports/guides/upgrade-guide/">upgrade-guide</a></td></tr><tr><td><a href="ssh-no-ports/guides/usage-guide/">usage-guide</a></td></tr><tr><td><a href="ssh-no-ports/faq-coming-soon.md">faq-coming-soon.md</a></td></tr></tbody></table> | ||
|
||
The programs communicate via the atProtocol and the atClient SDKs; as a result, the payloads of the messages the programs send to each other are all end-to-end encrypted. | ||
## Learn More about No Ports | ||
|
||
In brief | ||
If you would like to learn more about how everything works, see our developer notes section. | ||
|
||
* The client (`sshnp`) creates a unique guid for the session | ||
* and sends a request notification to the `sshrvd` for a port1/port2 pair for this sessionId | ||
* The sshrvd | ||
* finds a pair of available ports | ||
* opens server sockets for both of them | ||
* **Note**: rvd will allow just a single client socket to connect to each server socket | ||
* and will bridge them together | ||
* sends response to the client | ||
* The client | ||
* receives the response notification from sshrvd (rv\_host, rv\_port\_1, rv\_port\_2) | ||
* and sends a request notification to the `sshnpd` including the sessionId and the rv\_host:rv\_port\_1 | ||
* The daemon (`sshnpd`) | ||
* opens a socket to the rv\_host:rv\_port\_1 | ||
* and opens a socket to its local sshd port | ||
* and bridges the sockets together | ||
* and sends a response notification to the `sshnp` client | ||
* The client | ||
* issues an ssh command like this to set up the ssh tunnel and do a local port forwarding | ||
|
||
``` | ||
/usr/bin/ssh [email protected] -p 40189 -i /Users/gary/.ssh/noports \ | ||
-L 58358:localhost:22 -t -t -f \ | ||
-o StrictHostKeyChecking=accept-new -o IdentitiesOnly=yes \ | ||
-o BatchMode=yes -o ExitOnForwardFailure=yes \ | ||
sleep 15 | ||
``` | ||
* The client displays a message to the user that they may now `ssh -p $local_port $username@localhost`, i.e. `ssh -p 58358 gary@localhost` in the example above, and exits | ||
This high-level flow is visualized in the diagrams below. | ||
**NB** Requests from unauthorized client atSigns are ignored. Note that one may also completely prevent requests from any other atSigns ever even reaching the daemon by using the atProtocol's `config:allow` list feature. | ||
> In the personal edition of noports, a daemon may have only a single authorized client atSign. | ||
> | ||
> The Team and Enterprise editions will allow for multiple authorized client atSigns, controlled not by the daemon but by a separate noports authorization controller process, with its own atSign. | ||
### Overview diagram | ||
![](.gitbook/assets/overview.png) | ||
### Control plane | ||
In the following sequence diagram, atServer address lookup flows, authentication flows, key exchange flows, precise encryption mechanics and notification transmission flows are not covered in detail; those details are provided in the links provided in the "Further Details" section below. | ||
Since the full details are provided in those other links, the `client_1 -> atServer_1 -> atServer_2 -> client_2` message flows are abbreviated to `@atSign_1 -> @atSign_2` in the sequence diagram. Thus, for example, `sshnp (@client)` encapsulates both the sshnp program and the sshnp atServer | ||
```mermaid | ||
sequenceDiagram | ||
participant C as sshnp (@client) | ||
participant R as sshrvd (@rv) | ||
participant D as sshnpd (@device) | ||
note over R,D: service startups | ||
D->D: Authentication | ||
D->D: Start monitor <br> (notification listener) | ||
R->R: Authentication | ||
R->R: Start monitor <br> (notification listener) | ||
note left of C: user runs the sshnp program | ||
C->C: Authentication | ||
C->C: Start monitor <br> (notification listener) | ||
note left of C: sshnp sends session request <br> notification to sshrvd | ||
C->C: Create sessionId guid to send to @rv | ||
C->C: Encrypt message to send to @rv | ||
C->>R: Send notification to @rv <br> requesting host and port | ||
R->R: Decrypt request payload | ||
R->R: Find two unused ports | ||
R->R: Create an isolate <br> which creates server sockets <br> on the ports, waits for connections, <br> and joins their i/o streams | ||
R->R: Create and encrypt <br> response message containing <br> sessionId, host, port_1, port_2 | ||
R->>C: Send response notification <br> to @client | ||
C->C: Create and encrypt request message <br> to send to @device (sessionId, host, port1) | ||
C->>D: Send request to sshnpd | ||
D->>D: SPAWN an sshrv process | ||
D->>R: (Spawned) Open socket $npd_to_rv to host:port_1 | ||
D->>D: (Spawned) Open socket $npd_to_sshd to localhost:22 | ||
D->>D: (Spawned) Join $npd_to_rv and $npd_to_sshd <br> i/o streams, and vice versa | ||
D->>C: Send "connected" response notification if spawned successfully | ||
C->>C: Find an available $local_port<br>or use one supplied by the user via the command line | ||
C->>C: Spawn an initial ssh command to set up the local port forwarding tunnel | ||
C->>C: If spawned successfully, Write to stdout: "ssh -p $local_port $username@localhost" | ||
``` | ||
|
||
### Data plane | ||
|
||
Once the interactions above have completed | ||
|
||
* the sshnpd nor the sshnp programs are no longer involved | ||
* there is a new sshrv process running on the device host which pipes i/o between device port 22 and $rv\_host:$rv\_port\_1 | ||
* there is an ssh process running on the client host which provides the local port forwarding tunnel | ||
* User may now type "ssh -p $local\_port username@localhost" with traffic flowing | ||
* client ssh program <===> | ||
* $client\_localhost:$local\_port <===> bridged by client-side ssh tunnel to | ||
* $rv\_host:$rv\_port\_2 <===> bridged by sshrvd to | ||
* $rv\_host:$rv\_port\_1 <===> bridged by device-side sshrv to | ||
* $device\_host:22 <===> | ||
* device sshd program | ||
|
||
```mermaid | ||
sequenceDiagram | ||
participant ssh | ||
participant clp as client local port | ||
participant rvp1 as rvd port 1 | ||
participant rvp2 as rvd port 2 | ||
participant dp22 as device port 22 | ||
participant sshd | ||
note over ssh,clp: client host | ||
note over rvp1, rvp2: rvd host | ||
note over dp22, sshd: device host | ||
note over clp, rvp1: Bridged by <br> client ssh local port forward | ||
note over rvp1, rvp2: Bridged by <br> rvd | ||
note over rvp2, dp22: Bridged by <br> device sshrv | ||
ssh ->> sshd: packets from ssh to sshd | ||
sshd ->> ssh: packets from sshd to ssh | ||
``` | ||
|
||
## Further Details | ||
|
||
In the sections above, we referred to "authentication", "sending notifications" and "receiving notifications", and we made the statement that "the payloads of the messages the programs send to each other are all end-to-end encrypted" | ||
|
||
Here are some links to detailed diagrams covering | ||
|
||
* [how atClients authenticate to their atServers](https://github.com/atsign-foundation/at\_protocol/blob/trunk/decisions/2023-01-pkam-per-app-and-device.md#appendix---current-flows) | ||
* [how encrypted data is exchanged](https://github.com/atsign-foundation/at\_protocol/blob/trunk/usage-examples/how-to-exchange-encrypted-data.md) (including how keys are exchanged) | ||
* [how notifications work](https://github.com/atsign-foundation/at\_protocol/blob/trunk/usage-examples/how-notifications-work.md) | ||
{% content-ref url="developer-notes/" %} | ||
[developer-notes](developer-notes/) | ||
{% endcontent-ref %} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,14 +1,22 @@ | ||
# Table of contents | ||
|
||
* [Copy of Under The Hood](README.md) | ||
* [No Ports Docs](<README (1).md>) | ||
|
||
## SSH No Ports | ||
|
||
* [Overview](ssh-no-ports/overview.md) | ||
* [Installation Guide](ssh-no-ports/installation-guide.md) | ||
* [Usage Guide](ssh-no-ports/usage-guide.md) | ||
|
||
## Developer Notes <a href="#dev-notes" id="dev-notes"></a> | ||
|
||
* [Under The Hood](dev-notes/underthehood.md) | ||
* [🚫 No Ports Documentation](README.md) | ||
* [⌨ SSH No Ports](ssh-no-ports/README.md) | ||
* [🔢 Guides](ssh-no-ports/guides/README.md) | ||
* [💽 Installation Guide](ssh-no-ports/guides/installation-guide/README.md) | ||
* [👩💻 Client installation (sshnp)](ssh-no-ports/guides/installation-guide/client-installation-sshnp.md) | ||
* [🖥 Device installation (sshnpd)](ssh-no-ports/guides/installation-guide/device-installation-sshnpd.md) | ||
* [📌 Activate an address (a.k.a. atSign)](ssh-no-ports/guides/installation-guide/activate-an-address-a.k.a.-atsign.md) | ||
* [👨💻 Usage Guide](ssh-no-ports/guides/usage-guide/README.md) | ||
* [💻 Basic Usage](ssh-no-ports/guides/usage-guide/basic-usage.md) | ||
* [🌐 Webserver](ssh-no-ports/guides/usage-guide/webserver.md) | ||
* [🗃 SFTP](ssh-no-ports/guides/usage-guide/sftp.md) | ||
* [🖥 RDP](ssh-no-ports/guides/usage-guide/rdp.md) | ||
* [⬆ Upgrade Guide](ssh-no-ports/guides/upgrade-guide/README.md) | ||
* [👩💻 Client Upgrade (sshnp)](ssh-no-ports/guides/upgrade-guide/client-upgrade-sshnp.md) | ||
* [💽 Device Upgrade (sshnpd)](ssh-no-ports/guides/upgrade-guide/device-upgrade-sshnpd.md) | ||
* [❓ FAQ \[Coming soon\]](ssh-no-ports/faq-coming-soon.md) | ||
* [📔 Developer Notes](developer-notes/README.md) | ||
* [Under The Hood](developer-notes/underthehood.md) | ||
* [noports.com](https://noports.com) | ||
* [No Ports Address Portal](https://my.noports.com/no-ports/) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
# 📔 Developer Notes | ||
|
||
The "Developer Notes" section is maintained on a best effort basis, with the intent of making the architecture designs and details available alongside the open source code. Please see the rest of the docs or [file an issue on GitHub](https://github.com/atsign-foundation/noports/issues/new/choose) seeking clarification. |
4 changes: 3 additions & 1 deletion
4
docs/dev-notes/underthehood.md → docs/developer-notes/underthehood.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
# ⌨ SSH No Ports | ||
|
||
## Overview | ||
|
||
SSH No Ports is the flagship product in the No Ports suite. It enables you to SSH to any device with no open listening ports, making your devices reachable while eliminating network attack surfaces and reducing administrative overhead! | ||
|
||
## Information | ||
|
||
See [here](https://www.noports.com/sshnp-how-it-works) for more information on how SSH No Ports works. | ||
|
||
If you have a specific questions see the [FAQ](faq-coming-soon.md) or reach out to use using one of the following options: | ||
|
||
* Create a new [GitHub issue](https://github.com/atsign-foundation/noports/issues/new/choose) | ||
* Join [our discord](https://discord.atsign.com) and post to our `📑|forum` channel | ||
* [Contact support via email](mailto:[email protected]) | ||
|
||
## Guides | ||
|
||
### Installation | ||
|
||
<table data-card-size="large" data-column-title-hidden data-view="cards"><thead><tr><th data-card-target data-type="content-ref"></th></tr></thead><tbody><tr><td><a href="guides/installation-guide/client-installation-sshnp.md">client-installation-sshnp.md</a></td></tr><tr><td><a href="guides/installation-guide/device-installation-sshnpd.md">device-installation-sshnpd.md</a></td></tr></tbody></table> | ||
|
||
### Usage | ||
|
||
<table data-card-size="large" data-column-title-hidden data-view="cards"><thead><tr><th data-card-target data-type="content-ref"></th></tr></thead><tbody><tr><td><a href="guides/usage-guide/basic-usage.md">basic-usage.md</a></td></tr><tr><td><a href="guides/usage-guide/webserver.md">webserver.md</a></td></tr><tr><td><a href="guides/usage-guide/sftp.md">sftp.md</a></td></tr><tr><td><a href="guides/usage-guide/rdp.md">rdp.md</a></td></tr></tbody></table> | ||
|
||
### Upgrade | ||
|
||
<table data-card-size="large" data-column-title-hidden data-view="cards"><thead><tr><th data-card-target data-type="content-ref"></th></tr></thead><tbody><tr><td><a href="guides/upgrade-guide/client-upgrade-sshnp.md">client-upgrade-sshnp.md</a></td></tr><tr><td><a href="guides/upgrade-guide/device-upgrade-sshnpd.md">device-upgrade-sshnpd.md</a></td></tr></tbody></table> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
# ❓ FAQ \[Coming soon] | ||
|
||
## Coming soon! | ||
|
||
If you have a question that needs answering please do one of the following: | ||
|
||
* Create a new [GitHub issue](https://github.com/atsign-foundation/noports/issues/new/choose) | ||
* Join [our discord](https://discord.atsign.com) and post to our `📑|forum` channel | ||
* [Contact support via email](mailto:[email protected]) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# 🔢 Guides | ||
|
||
{% content-ref url="installation-guide/" %} | ||
[installation-guide](installation-guide/) | ||
{% endcontent-ref %} | ||
|
||
{% content-ref url="usage-guide/" %} | ||
[usage-guide](usage-guide/) | ||
{% endcontent-ref %} | ||
|
||
{% content-ref url="upgrade-guide/" %} | ||
[upgrade-guide](upgrade-guide/) | ||
{% endcontent-ref %} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
# 💽 Installation Guide | ||
|
||
## Overview | ||
|
||
The installation guide is broken up into three parts. You may start with either the [client installation](client-installation-sshnp.md), or the [device installation](device-installation-sshnpd.md). The [activate an address](activate-an-address-a.k.a.-atsign.md) guide is a supplementary guide which is referred to by both the client and device installation guides. | ||
|
||
## Guides | ||
|
||
{% content-ref url="client-installation-sshnp.md" %} | ||
[client-installation-sshnp.md](client-installation-sshnp.md) | ||
{% endcontent-ref %} | ||
|
||
{% content-ref url="device-installation-sshnpd.md" %} | ||
[device-installation-sshnpd.md](device-installation-sshnpd.md) | ||
{% endcontent-ref %} | ||
|
||
### Supplementary Guides | ||
|
||
{% content-ref url="activate-an-address-a.k.a.-atsign.md" %} | ||
[activate-an-address-a.k.a.-atsign.md](activate-an-address-a.k.a.-atsign.md) | ||
{% endcontent-ref %} |
5 changes: 5 additions & 0 deletions
5
docs/ssh-no-ports/guides/installation-guide/activate-an-address-a.k.a.-atsign.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
# 📌 Activate an address (a.k.a. atSign) | ||
|
||
## Overview | ||
|
||
Both sshnp and sshnpd require activated noports addresses, also known as atSigns. |
Oops, something went wrong.