
Show HN: Tunshell – Remote shell into ephemeral environments behind NAT/firewall - timetoogo
https://github.com/TimeToogo/tunshell
======
xomodo
For accessing aws ec2 instances behind nat/fw add this lines ~/.ssh/config:

    
    
      Host i-* mi-*
       ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"
       UserKnownHostsFile /dev/null
       StrictHostKeyChecking no
       User ubuntu
       LogLevel ERROR
       DynamicForward 5060
    

Usage: `ssh -i key.pem i-0xxxxxxxxxx`. Last config line can be used for
optional proxy browsing.

~~~
whalesalad
This is a game changer. I have a bastion host in certain environments I never
realized AWS has built in kit to achieve this sort of thing. I assume the key
product here is SSM?

~~~
mwakerman
Correct. It’s not always this simple though, you also need an IAM profile that
the EC2 instance can assume with the required permissions. Depending on how
you configure your NAT Instance/Gateway, you may also need to whitelist the
ssm service.

~~~
xomodo
Im using this IAM policy on ec2 instance profile:
"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"

------
sitkack
Like any good distributed system networking layer, this is botnet control
plane.

~~~
ghgr
> Unsavory Use-cases

> Tunshell could also be used as an exploitation tool to gain unauthorized
> access to remote hosts. Personally, I hope that this tool is not misused for
> nefarious purposes. If it becomes apparent that tunshell is helping
> malicious actors go about their activities, the free service will be
> discontinued.

It seems the author already though about that. Well, don't we all here have
the Security Mindset (TM)? [1]

[1]
[https://www.schneier.com/blog/archives/2008/03/the_security_...](https://www.schneier.com/blog/archives/2008/03/the_security_mi_1.html)

------
antoniomika
Shameless self plug below.

Main issue I have with this is the requirement for some binary to establish
the shell connection, where you can get by just fine with a bidirectional TCP
stream.

I’ve been doing something similar to this for a while, but just by using
netcat on an externally routable server. Then, I created a TCP relay server
that acts as a link between a TCP connection and WebSocket to replace it [0].

You can use this to open reverse shells over tcp, redirect output to a socket,
etc. and it’ll all be available through a browser page.

My personal favorite use is something like: `htop | tee >(nc host port)`,
which redirects and prints command output to a web page that you can share
with anyone. The beauty of this route over something like Tunshell is that
your client implementation decides what to do with the socket and can just
treat is as a bidirectional stream. There’s another service that provides
similar functionality but doesn’t have the bidirectionality and stores the
stream [1].

If you want to use it as a tmate alternative, just write a client that does
just that [2]. Now you can control whether or not people can write to your
session, share any command, and all your peer needs to access the session is a
browser.

I think Tunshell definitely has some cool features (direct connection, multi
protocol, small statically linked bin) and I will still likely find a way to
use it though!

[0]
[https://github.com/antoniomika/seeshell](https://github.com/antoniomika/seeshell)

[1] [https://seashells.io/](https://seashells.io/)

[2]
[https://github.com/antoniomika/shellshare](https://github.com/antoniomika/shellshare)

------
chme
Can this be used similar to tmate ([https://github.com/tmate-
io/tmate](https://github.com/tmate-io/tmate)) to easily share a shell?

Why I asked for this is because tmate isn't really that secure. You have to
trust the relay server.

Maybe tunshell can be combined with tmux directly to open a shared view.

~~~
iforgotpassword
We use tmate for support and have it configured with our own relay. If you use
it just for one-offs this is probably too much hassle though.

------
pedro2
TL;DR: Reverse SSH using an helper along the way?

~~~
Lex-2008
Yep, that's what I'm using pretty much every day.

Quote from their website:

> The use case for tunshell is predominantly quick, ad-hoc remote access to
> hosts which you may not have SSH access to, or even the ability to install
> an SSH daemon at all.

They mention GitHub Actions, BitBucket Pipelines, AWS Lambda and Google Cloud
Serverless Functions as target usage areas for this tool.

------
YarickR2
Dear God, grant us mere mortals DPI powers to block this and similar things,
'cause devs are often do not know what they are doing.

