Show HN: Tunshell – Remote shell into ephemeral environments behind NAT/firewall
github.comFor accessing aws ec2 instances behind nat/fw add this lines ~/.ssh/config:
Host i-* mi-*
ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"
UserKnownHostsFile /dev/null
StrictHostKeyChecking no
User ubuntu
LogLevel ERROR
DynamicForward 5060
This is a game changer. I have a bastion host in certain environments I never realized AWS has built in kit to achieve this sort of thing. I assume the key product here is SSM?
Correct. It’s not always this simple though, you also need an IAM profile that the EC2 instance can assume with the required permissions. Depending on how you configure your NAT Instance/Gateway, you may also need to whitelist the ssm service.
Im using this IAM policy on ec2 instance profile: "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
Like any good distributed system networking layer, this is botnet control plane.
> Unsavory Use-cases
> Tunshell could also be used as an exploitation tool to gain unauthorized access to remote hosts. Personally, I hope that this tool is not misused for nefarious purposes. If it becomes apparent that tunshell is helping malicious actors go about their activities, the free service will be discontinued.
It seems the author already though about that. Well, don't we all here have the Security Mindset (TM)? [1]
[1] https://www.schneier.com/blog/archives/2008/03/the_security_...
Shameless self plug below.
Main issue I have with this is the requirement for some binary to establish the shell connection, where you can get by just fine with a bidirectional TCP stream.
I’ve been doing something similar to this for a while, but just by using netcat on an externally routable server. Then, I created a TCP relay server that acts as a link between a TCP connection and WebSocket to replace it [0].
You can use this to open reverse shells over tcp, redirect output to a socket, etc. and it’ll all be available through a browser page.
My personal favorite use is something like: `htop | tee >(nc host port)`, which redirects and prints command output to a web page that you can share with anyone. The beauty of this route over something like Tunshell is that your client implementation decides what to do with the socket and can just treat is as a bidirectional stream. There’s another service that provides similar functionality but doesn’t have the bidirectionality and stores the stream [1].
If you want to use it as a tmate alternative, just write a client that does just that [2]. Now you can control whether or not people can write to your session, share any command, and all your peer needs to access the session is a browser.
I think Tunshell definitely has some cool features (direct connection, multi protocol, small statically linked bin) and I will still likely find a way to use it though!
Can this be used similar to tmate (https://github.com/tmate-io/tmate) to easily share a shell?
Why I asked for this is because tmate isn't really that secure. You have to trust the relay server.
Maybe tunshell can be combined with tmux directly to open a shared view.
We use tmate for support and have it configured with our own relay. If you use it just for one-offs this is probably too much hassle though.
TL;DR: Reverse SSH using an helper along the way?
Yep, that's what I'm using pretty much every day.
Quote from their website:
> The use case for tunshell is predominantly quick, ad-hoc remote access to hosts which you may not have SSH access to, or even the ability to install an SSH daemon at all.
They mention GitHub Actions, BitBucket Pipelines, AWS Lambda and Google Cloud Serverless Functions as target usage areas for this tool.
Dear God, grant us mere mortals DPI powers to block this and similar things, 'cause devs are often do not know what they are doing.