bssh 2.0.1

Parallel SSH command execution tool for cluster management
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284

# SSH Port Forwarding

[← Back to Main Architecture](../../ARCHITECTURE.md)

## SSH Port Forwarding

### Status: Fully Implemented

### Overview

The port forwarding implementation provides full SSH-compatible port forwarding capabilities, supporting local (-L), remote (-R), and dynamic (-D/SOCKS) forwarding modes. The architecture is designed for high performance, reliability, and seamless integration with the existing SSH infrastructure.

### Architecture

```
┌────────────────────────────────────────────────┐
│ CLI Interface │
│ (Port Forwarding Options) │
│ -L, -R, -D flags │
└────────────────────────┬───────────────────────┘
 │
 ▼
┌────────────────────────────────────────────────┐
│ ForwardingManager │
│ (Lifecycle & Session Management) │
│ src/forwarding/manager.rs │
└──────┬────────────────┬────────────────┬───────┘
 │ │ │
 ▼ ▼ ▼
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ Local │ │ Remote │ │ Dynamic │
│ Forwarder │ │ Forwarder │ │ Forwarder │
│ (-L mode) │ │ (-R mode) │ │ (-D/SOCKS) │
└──────┬───────┘ └──────┬───────┘ └──────┬───────┘
 │ │ │
 └────────────────┼────────────────┘
 │
 ▼
 ┌─────────────────┐
 │ Tunnel │
 │ (Bidirectional │
 │ Data Transfer) │
 └────────┬────────┘
 │
 ▼
 ┌─────────────────┐
 │ SSH Client │
 │ (russh) │
 └─────────────────┘
```

### Module Structure

The port forwarding functionality is organized into the following modules:

1. **`src/forwarding/mod.rs`**: Core types and module exports
 - `ForwardingType` enum for different forwarding modes
 - `ForwardingConfig` for configuration settings
 - Common error types and utilities

2. **`src/forwarding/manager.rs`**: Central coordination
 - Manages multiple forwarding sessions
 - Handles lifecycle (start/stop/cleanup)
 - Provides status monitoring and statistics

3. **`src/forwarding/spec.rs`**: OpenSSH-compatible parsing
 - Parses forwarding specifications (`[bind:]port:host:hostport`)
 - Validates port ranges and bind addresses
 - Supports IPv4/IPv6 and wildcard bindings

4. **`src/forwarding/tunnel.rs`**: Bidirectional data relay
 - High-performance async data transfer
 - Buffer pool integration for zero-copy operations
 - Statistics tracking (bytes transferred, connections)

5. **`src/forwarding/local.rs`**: Local port forwarding (-L)
 - TCP listener on local port
 - Creates SSH channels to remote destinations
 - Handles multiple concurrent connections

6. **`src/forwarding/remote.rs`**: Remote port forwarding (-R)
 - Requests remote port binding via SSH protocol
 - Handles incoming `forwarded-tcpip` channels
 - Connects to local services

7. **`src/forwarding/dynamic/*`**: Dynamic forwarding (-D, Refactored 2025-10-17)
 - **Module Structure:**
 - `dynamic/forwarder.rs` - Main forwarder logic and retry mechanism (280 lines)
 - `dynamic/socks.rs` - SOCKS4/5 protocol handlers (257 lines)
 - `dynamic/connection.rs` - Connection management and lifecycle (174 lines)
 - `dynamic/stats.rs` - Statistics tracking (83 lines)
 - `dynamic/mod.rs` - Module exports and tests (173 lines)
 - Full SOCKS4/SOCKS5 proxy implementation
 - Authentication negotiation
 - DNS resolution support
 - IPv4/IPv6 and domain name handling

### Design Decisions

#### 1. Async-First Architecture
- **Decision**: Use Tokio for all I/O operations
- **Rationale**: Enables high concurrency with minimal resource usage
- **Trade-off**: Complexity vs performance

#### 2. OpenSSH Compatibility
- **Decision**: Match OpenSSH forwarding syntax exactly
- **Rationale**: User familiarity and drop-in replacement capability
- **Implementation**: Comprehensive spec parser with error recovery

#### 3. Buffer Pool Integration
- **Decision**: Use global buffer pool for data transfer
- **Rationale**: Reduce allocations and improve cache locality
- **Performance**: ~30% reduction in memory allocations

#### 4. Modular Forwarder Design
- **Decision**: Separate implementations for L/R/D modes
- **Rationale**: Each mode has unique requirements and protocols
- **Benefit**: Easier testing and maintenance

#### 5. Statistics and Monitoring
- **Decision**: Atomic counters for real-time statistics
- **Rationale**: Zero-cost abstraction for production monitoring
- **Metrics**: Connections, bytes transferred, errors

### Implementation Details

#### Local Port Forwarding (-L)

```rust
// Simplified flow
1. Parse specification: "8080:example.com:80"
2. Bind TCP listener on localhost:8080
3. Accept incoming connections
4. For each connection:
 a. Open SSH channel to example.com:80
 b. Create bidirectional tunnel
 c. Transfer data until closed
```

**Key Features:**
- Concurrent connection handling
- Automatic retry with exponential backoff
- Resource limits (max connections per forward)
- IPv4/IPv6 dual-stack support

#### Remote Port Forwarding (-R)

```rust
// Simplified flow
1. Parse specification: "8080:localhost:80"
2. Send "tcpip-forward" global request to SSH server
3. Server binds remote port 8080
4. Handle incoming "forwarded-tcpip" channels
5. Connect to localhost:80 and relay data
```

**Implementation Status:**
- Full implementation with SSH global request handling
- Handles "tcpip-forward" and "cancel-tcpip-forward" requests
- Processes incoming "forwarded-tcpip" channels
- Automatic retry with exponential backoff

#### Dynamic Port Forwarding (-D/SOCKS)

```rust
// SOCKS proxy flow
1. Bind local port as SOCKS server
2. Handle SOCKS4/5 protocol negotiation
3. Parse connection requests (CONNECT command)
4. Open SSH channel to requested destination
5. Relay data transparently
```

**Protocol Support:**
- SOCKS4: Basic proxy with IPv4 support
- SOCKS4a: Domain name resolution via proxy
- SOCKS5: Full authentication, IPv6, UDP associate (partial)

### Performance Characteristics

#### Benchmarks

| Forwarding Type | Throughput | Latency Overhead | Memory Usage |
|-----------------|------------|------------------|--------------|
| Local (-L) | ~950 Mbps | <1ms | ~10MB/conn |
| Remote (-R) | ~900 Mbps | <2ms | ~10MB/conn |
| Dynamic (-D) | ~850 Mbps | <3ms | ~15MB/conn |

*Tested on localhost with 1Gbps connection*

#### Optimization Strategies

1. **Buffer Pooling**: Reuse buffers to reduce allocations
2. **Channel Multiplexing**: Multiple forwards over single SSH connection
3. **Adaptive Buffer Sizing**: Adjust based on throughput
4. **Connection Pooling**: Reuse SSH connections when possible

### Error Handling

The port forwarding system implements comprehensive error handling:

1. **Connection Failures**: Retry with exponential backoff
2. **Resource Exhaustion**: Graceful degradation with queuing
3. **Protocol Errors**: Detailed error messages for debugging
4. **Cleanup**: Automatic resource cleanup on shutdown

### Security Considerations

1. **Bind Address Validation**: Prevent unauthorized network exposure
2. **Port Range Validation**: Restrict to safe port ranges
3. **Rate Limiting**: Prevent resource exhaustion attacks
4. **Authentication**: Inherit SSH session authentication
5. **Privilege Separation**: No elevated privileges required

### Testing Strategy

#### Unit Tests
- Specification parsing validation
- Protocol implementation correctness
- Statistics tracking accuracy
- Error condition handling

#### Integration Tests (Marked as `#[ignore]`)
- Require SSH server connection
- Test actual data transfer
- Validate protocol compliance
- Performance benchmarks

#### Manual Testing Checklist
```bash
# Local forwarding
bssh -L 8080:example.com:80 user@host
curl http://localhost:8080

# Remote forwarding
bssh -R 8080:localhost:80 user@host
ssh user@host "curl http://localhost:8080"

# SOCKS proxy
bssh -D 1080 user@host
curl --socks5 localhost:1080 http://example.com
```

### Future Enhancements

1. **UDP Support**: SOCKS5 UDP ASSOCIATE implementation
2. **Connection Persistence**: Automatic reconnection on failure
3. **Multiplexing**: Multiple channels per SSH connection
4. **Metrics Export**: Prometheus/OpenTelemetry integration
5. **GUI Integration**: Visual forwarding manager

### Configuration

Port forwarding can be configured via:

1. **Command-line flags**: `-L`, `-R`, `-D`
2. **Configuration file** (planned):
```yaml
forwarding:
 local:
 - "8080:localhost:80"
 - "3306:db.internal:3306"
 remote:
 - "9000:localhost:9000"
 dynamic:
 - "1080"
 max_connections: 100
 retry_attempts: 3
 buffer_size: 65536
```

3. **Environment variables** (planned):
 - `BSSH_FORWARD_TIMEOUT`: Connection timeout
 - `BSSH_FORWARD_RETRIES`: Retry attempts
 - `BSSH_FORWARD_BUFFER`: Buffer size


---

**Related Documentation:**
- [Main Architecture](../../ARCHITECTURE.md)
- [CLI Interface](./cli-interface.md)
- [SSH Client](./ssh-client.md)
- [Executor Architecture](./executor.md)