Skip to content

Booyaabes/ssh-over-https

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
proxytunnel
proxytunnel
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
default-ssl.conf
default-ssl.conf
 
 
entrypoint.sh
entrypoint.sh
 
 

Repository files navigation

ssh-over-https

Warning

First of all: DO NOT USE THIS IN PRODUCTION: It creates a backdoor in your environment. Use it only if you know what you're doing.

Second point: Work in progress

Purpose

This Docker image was made to test a Kubernetes infrastructure. You can connect in ssh over https through port 8443 (by default). The http server and the ssh server run as non-root user.

This image contains lots of tools useful for auditing purposes and to test capabilities allowed to the container by the Kubernetes/Docker engine...

How to build

docker build --tag ssh-over-https:1.0 .

Usage

Direct ssh connection

You can build your own Docker image with authorized keys embedded or you can mount an authorized_keys file when lauching the container.

docker run -p 8080:8080 -v /home/remote_user/authorized_keys:/home/ubuntu/.ssh/authorized_keys booyaabes/ssh-over-https:1.0

Mounting your pub certificate will allow you to logged in as user imnoroot to this container:

ssh -p 8080 -i /home/local_user/.ssh/id_rsa imnoroot@container_ip

Ssh over http connection

First of all, you need socat to connect to ssh server through http.

sudo apt install socat

Then, you need to tell ssh client to use socat as ProxyCommand. You have to add something similar to this to your ~/.ssh/config file:

Host container_url
    ProxyCommand socat TCP-LISTEN:1080 OPENSSL:container_url:8443,verify=0 & sleep 1 && socat - PROXY:127.0.0.1:127.0.0.1:2222,proxyport=1080
    DynamicForward 1080
    ServerAliveInterval 60
    ControlMaster auto
    ControlPath ~/.ssh/tmp/%h_%p_%r

In this case, you will only be able to login with a password. Change the password in the Dockerfile et rebuild the image.

Capabilities

This image contains /sbin/setcap executable with cap_setpcap,cap_setfcap+ep meaning that the regular user can modify capabilities if the right of modifying capabilities has not been drop by the Docker engine.

TODO List

  • An automated build is available on Docker Hub,
  • Switch to HAProxy instead of Apache HTTPD,
  • Make http server run as non root.

Credits

Thanks to Ch-M.D. for

Thanks to Rastasheep for the inspiration.

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages