Skip to content

Commit 4f600f6

Browse files
committed
docs, added timeout to client handshake
1 parent 9d494aa commit 4f600f6

5 files changed

Lines changed: 40 additions & 29 deletions

File tree

README.md

Lines changed: 22 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@ $ go get -v github.com/jpillora/chisel
2121
* Easy to use
2222
* [Performant](#performance)*
2323
* [Encrypted connections](#security) using `crypto/ssh`
24-
* [Authenticated connections](#authentication) using a users config file
24+
* [Authenticated connections](#authentication), authenticate clients with a users config file, authenticate servers with fingerprint matching.
2525
* Client auto-reconnects with [exponential backoff](https://github.com/jpillora/backoff)
2626
* Client can create multiple tunnel endpoints over one TCP connection
2727
* Server optionally doubles as a [reverse proxy](http://golang.org/pkg/net/http/httputil/#NewSingleHostReverseProxy)
@@ -78,7 +78,7 @@ and then visit [localhost:3000](http://localhost:3000/), we should see a directo
7878
7979
--port, Defines the HTTP listening port (defaults to 8080).
8080
81-
--key, An optional string to seed the generation of a ECC public
81+
--key, An optional string to seed the generation of a ECDSA public
8282
and private key pair. All commications will be secured using this
8383
key pair. Share the resulting fingerprint with clients to prevent
8484
man-in-the-middle attacks.
@@ -155,7 +155,7 @@ See also [programmatic usage](https://github.com/jpillora/chisel/wiki/Programmat
155155

156156
### Security
157157

158-
Encryption is enabled by default, when you start up a chisel server, it will generate an in-memory ECC public/private key pair. The public key fingerprint will be displayed as the server starts. Instead of always generating a random key, the server may optionally specify a key seed, using the `--key`, which will be used to seed the key generation. When clients connect, they will also display the server's public key fingerprint. The client can force a particular fingerprint using the `--fingerprint` option. See the `--help` above for more information.
158+
Encryption is always enabled. When you start up a chisel server, it will generate an in-memory ECDSA public/private key pair. The public key fingerprint will be displayed as the server starts. Instead of generating a random key, the server may optionally specify a key seed, using the `--key` option, which will be used to seed the key generation. When clients connect, they will also display the server's public key fingerprint. The client can force a particular fingerprint using the `--fingerprint` option. See the `--help` above for more information.
159159

160160
### Authentication
161161

@@ -184,29 +184,29 @@ Note, we're using an in-memory "file" server on localhost for these tests
184184
*direct*
185185

186186
```
187-
:3000 => 1 bytes in 1.008883ms
188-
:3000 => 10 bytes in 543.198µs
189-
:3000 => 100 bytes in 675.957µs
190-
:3000 => 1000 bytes in 584.13µs
191-
:3000 => 10000 bytes in 580.56µs
192-
:3000 => 100000 bytes in 743.902µs
193-
:3000 => 1000000 bytes in 1.962673ms
194-
:3000 => 10000000 bytes in 19.192986ms
195-
:3000 => 100000000 bytes in 158.428239ms
187+
:3000 => 1 bytes in 1.440608ms
188+
:3000 => 10 bytes in 658.833µs
189+
:3000 => 100 bytes in 669.6µs
190+
:3000 => 1000 bytes in 570.242µs
191+
:3000 => 10000 bytes in 655.795µs
192+
:3000 => 100000 bytes in 693.761µs
193+
:3000 => 1000000 bytes in 2.156777ms
194+
:3000 => 10000000 bytes in 18.562896ms
195+
:3000 => 100000000 bytes in 146.355886ms
196196
```
197197

198198
`chisel`
199199

200200
```
201-
:2001 => 1 bytes in 1.190288ms
202-
:2001 => 10 bytes in 1.17237ms
203-
:2001 => 100 bytes in 821.369µs
204-
:2001 => 1000 bytes in 1.029366ms
205-
:2001 => 10000 bytes in 1.281065ms
206-
:2001 => 100000 bytes in 2.14094ms
207-
:2001 => 1000000 bytes in 9.538984ms
208-
:2001 => 10000000 bytes in 86.500426ms
209-
:2001 => 100000000 bytes in 814.630443ms
201+
:2001 => 1 bytes in 1.393731ms
202+
:2001 => 10 bytes in 1.002992ms
203+
:2001 => 100 bytes in 1.082757ms
204+
:2001 => 1000 bytes in 1.096081ms
205+
:2001 => 10000 bytes in 1.215036ms
206+
:2001 => 100000 bytes in 2.09334ms
207+
:2001 => 1000000 bytes in 9.136138ms
208+
:2001 => 10000000 bytes in 84.170904ms
209+
:2001 => 100000000 bytes in 796.713039ms
210210
```
211211

212212
~100MB in **0.8 seconds**
@@ -250,7 +250,7 @@ See more [test/](test/)
250250
### Changelog
251251

252252
* `1.0.0` - Init
253-
* `1.1.0` - Swapped out simple symmetric encryption for ECC SSH
253+
* `1.1.0` - Swapped out simple symmetric encryption for ECDSA SSH
254254

255255
### Todo
256256

client/client.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -146,6 +146,7 @@ func (c *Client) start() {
146146
}
147147
conf, _ := chshare.EncodeConfig(c.config)
148148
c.Debugf("Sending configurating")
149+
t0 := time.Now()
149150
_, conerr, err := sshConn.SendRequest("config", true, conf)
150151
if err != nil {
151152
c.Infof("Config verification failed")
@@ -155,8 +156,7 @@ func (c *Client) start() {
155156
c.Infof(string(conerr))
156157
break
157158
}
158-
159-
c.Infof("Connected")
159+
c.Infof("Connected (Latency %s)", time.Now().Sub(t0))
160160
//connected
161161
b.Reset()
162162

main.go

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -78,10 +78,10 @@ var serverHelp = `
7878
7979
--port, Defines the HTTP listening port (defaults to 8080).
8080
81-
--key, An optional string to seed the generation of a ECC public
81+
--key, An optional string to seed the generation of a ECDSA public
8282
and private key pair. All commications will be secured using this
83-
key pair. Share the resulting fingerprint with clients to prevent
84-
man-in-the-middle attacks.
83+
key pair. Share this fingerprint with clients to enable detection
84+
of man-in-the-middle attacks.
8585
8686
--authfile, An optional path to a users.json file. This file should
8787
be an object with users defined like:
@@ -144,7 +144,7 @@ var clientHelp = `
144144
145145
server is the URL to the chisel server.
146146
147-
remotes are remote connections tunneled through the server, each of
147+
remotes are remote connections tunnelled through the server, each of
148148
which come in the form:
149149
150150
<local-host>:<local-port>:<remote-host>:<remote-port>

server/server.go

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ import (
66
"net/http"
77
"net/http/httputil"
88
"net/url"
9+
"time"
910

1011
"github.com/jpillora/chisel/share"
1112
"golang.org/x/crypto/ssh"
@@ -159,7 +160,16 @@ func (s *Server) handleWS(ws *websocket.Conn) {
159160

160161
//verify configuration
161162
s.Debugf("Verifying configuration")
162-
r := <-reqs
163+
164+
//wait for request, with timeout
165+
var r *ssh.Request
166+
select {
167+
case r = <-reqs:
168+
case <-time.After(10 * time.Second):
169+
sshConn.Close()
170+
return
171+
}
172+
163173
failed := func(err error) {
164174
r.Reply(false, []byte(err.Error()))
165175
}

share/determ_rand.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
package chshare
22

3+
// Deterministic crypto.Reader
34
// overview: half the result is used as the output
45
// [a|...] -> sha512(a) -> [b|output] -> sha512(b)
56

0 commit comments

Comments
 (0)