
ShellHub enables teams to easily access any Linux device behind firewall and NAT - gustavosbarreto
https://github.com/shellhub-io/shellhub
======
MayeulC
This is interesting, but how does it work? By leveraging a STUN/TURN server?
Can we connect on port 22?

Actually, there is this link in the subtitle (and in the readme, but only
mentions "getting started", now "how does this work"): [https://shellhub-
io.github.io/](https://shellhub-io.github.io/) this should probably be the
story link.

So, short answer to my question (though I had to read
[https://github.com/shellhub-
io/shellhub/commit/fb0ebf10b1270...](https://github.com/shellhub-
io/shellhub/commit/fb0ebf10b12700e56ab470634d3c150cd3f34036) to understand it,
the website wasn't enough):

* You host a TURN-like server somewhere

* You locally host an ssh server (see the above commit: using docker)

* When you ssh to the local server, the TURN server is contacted, and performs the handshake; your local server proxies to the remote one on the right port

This is an interesting proof-of-concept, but:

* I wish people would deploy ipv6 without (or with minimal) firewalls instead

* As with all TURN, doesn't work with symmetrical NATs

* This is a bit overkill. If I could ssh into the TURN server and have it reply with the right ssh command, it would work as well (need to be quick)

Given the above, this could be built into ssh: specify a TURN server (or plain
ssh host) to negociate a port and have the client & server perform the
handover.

The way I do NAT traversal usually is to setup a reverse tunnel between the
target sshd and another server (initiated by the target host), which I then
proxy/jump on with `-p`. Obviously this uses some of the server's bandwidth,
hence my proposed offer to add something like TURN negotiation on the server.
The intermediate server doesn't even need to be aware of this, if you can
execute arbitrary commands.

I wish more applications were compatible with something like this. The
Internet really is broken if we have to jump trough these hoops to get any p2p
going. There might be a way to do it in a way that's transparent to the
application, but we might need a new TCP for this. I wonder if Yggdrasil or
GNUnet offer to solve that kind of issues over the current TCP network (making
a VPN of sorts between the computers, but not firewalled/NATed).

~~~
JoeOfTexas
TURN is the solution for communicating around Symmetric NAT. STUN is used to
determine the type of NAT a user has, which helps determines the connectivity
method to use between endpoints. Connectivity can be direct to each other or
must routed through a TURN server.

IPv6 still uses NAT and Firewalls, which is a pain, but it is a reliable
method of defense.

Almost all Cellular Networks are on Symmetric NAT, so P2P games are always
going to require a TURN server. However, almost all WiFi networks use Port
Restricted NAT (a level below symmetric), or lower, which is still possible to
make direct p2p connections.

(I am working on my own Networking/P2P library for Unity, which is a painful
process.)

~~~
alanfranz
Does ipv6 use nat, though? Firewalls for certain, but nat? Have you got an
example?

~~~
oarsinsync
> Since at least Linux kernel version 3.9.0 and using ip6tables since 1.4.18
> also Network Address Translation (NAT) is usable.

[https://tldp.org/HOWTO/Linux+IPv6-HOWTO/ch18s04.html](https://tldp.org/HOWTO/Linux+IPv6-HOWTO/ch18s04.html)

------
wiml
For a number of years now — I think I got the idea from a HN comment — I've
just been exposing ssh as a Tor hidden service. Really easy to set up, and I
can donate a few kbps to the tor network.

------
AndrewThrowaway
Is it just me or documentation is lacking? What is server, what is device? In
both introduction and "getting started" it is mentioned that "The ShellHub SSH
gateway is a modern SSH server built using the microservices design pattern"
but does it really bring any information about what exactly am I doing by
generating keys, creating users? How is it really an improvement over let's
say VPN? Maybe a simple image/scheme would help to understand all the
hierarchy and what exactly is happening where?

~~~
gustavosbarreto
> but does it really bring any information about what exactly am I doing by
> generating keys, creating users?

The keys are used by ShellHub as "ssh host keys" that ensures you are
connecting to the right server.

The users that are created by 'add-user' script are used to login in the Web
UI running on port 80.

> How is it really an improvement over let's say VPN

The improvement is that you don't need to run your own VPN server and setup
the client on every host :)

> Maybe a simple image/scheme would help to understand all the hierarchy and
> what exactly is happening where?

I fully agree with you

~~~
gustavosbarreto
> Maybe a simple image/scheme would help to understand all the hierarchy and
> what exactly is happening where?

Please see [https://shellhub-io.github.io/introduction/](https://shellhub-
io.github.io/introduction/)

------
eeZah7Ux
A security critical daemon running in docker?

Given docker abysmal security track record?

------
tyingq
DigitalOcean doesn't charge for their floating ips, so it's a fairly
economical way to traverse NAT. $5/month total assuming you keep the floating
IP assigned. Fairly simple with wireguard and port forwarding via firewalld or
iptables.

------
gitgud
Is this just another client that wraps SSH and provides a Web interface?...

Or am I missing something?

~~~
tyingq
It seems to also include a gateway component you run on a public machine that
brokers ssh access to machines behind nat.

So you could piece together your own with ssh tunnels, or a VPN, and a web
terminal. I assume the appeal is that's done for you.

The docs are pretty light though, with a lot of typos. It doesn't inspire a
lot of confidence that it's done in a secure way.

------
bilekas
Not a bad idea, I have seen some simular but for the love of god why the
docker dependancy ?

Any stripped down version ?

Let me rephrase that, I'd like to test this out, maybe even use it, but I
don't want docker near my machine..

~~~
pizza234
Why the hate for Docker? :-) As I wrote in another post, using a Docker in
this case is a form of packaging, which is reasonable for a young project. Of
course, ideally (and/or in the long-term), one would use something more
specific, like distro-based packages or snaps/similar.

~~~
bilekas
I don't have a hate for Docker, its really useful for certain things, but with
a project like this I would preffer to run it myself without th docker
scafolding and hand holding, I would like to go straight in here and play
around.

It's just a preference I guess, but it's time consuming now to go and extract
the docker fluff for me.

> which is reasonable for a young project

I would argue a more mature project would benefit more from stronger
versioning management though.

------
javajosh
We need a way for software to declare its _runtime dependencies_. This product
_must_ use some sort of running process on the public internet, and yet
there's no mention of it in the readme!

~~~
pizza234
Runtime dependencies are a matter of packaging. Does this differ from your
requirement(s)?

In this case, packaging is in the form of a Docker image. It's definitely
suboptimal, but for a young project, that's reasonable.

------
gustavosbarreto
Due to the amount of messages I've received about ShellHub I've created a
channel on Gitter ([https://gitter.im/shellhub-
io/community](https://gitter.im/shellhub-io/community))

------
simula67
You could also use [https://ngrok.com/](https://ngrok.com/)

~~~
nimbius
its worth noting this, as well as shellhub, cannot get around Bluecoats
javascipt clickthrough transparent proxy, which imo would be a serious win.

------
broknbottle
Neat. This looks like a self hosted version of AWS SSM/Systems Manager +
Session Manager Plugin

