reverse-ssh 0.1.0

A Rust library for creating reverse SSH tunnels with automatic URL capture from services like localhost.run
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295

# URL Capture Mechanism

This document explains how the library captures server-generated URLs from services like localhost.run.

## The Challenge

Services like localhost.run generate a random public URL when you connect. This URL needs to be captured and displayed to the user so they know how to access their service. The challenge is that different SSH servers send this information in different ways.

## How localhost.run Works

When you connect to localhost.run via SSH with remote port forwarding:

1. You authenticate via SSH
2. You request remote port forwarding (`tcpip-forward`) with **empty bind address**
3. localhost.run generates a random subdomain (e.g., `https://abc123.localhost.run`)
4. The server sends this URL back through the SSH connection

### Important: Bind Address

localhost.run requires the bind address to be an **empty string** (`""`), not `"0.0.0.0"`.

```rust
// ✅ Correct - empty string lets server choose address
handle.tcpip_forward("", self.config.remote_port).await?;

// ❌ Wrong - causes "missing _lhr TXT record" error
handle.tcpip_forward("0.0.0.0", self.config.remote_port).await?;
```

The URL can be sent via:
- **Standard output (stdout)** - Regular data channel
- **Standard error (stderr)** - Extended data channel (type 1)
- **Shell welcome message** - When opening a shell session

## Our Implementation

### 1. Extended Data Capture

We implement the `extended_data()` handler to capture stderr messages:

```rust
async fn extended_data(
    &mut self,
    _channel: ChannelId,
    ext: u32,
    data: &[u8],
    _session: &mut client::Session,
) -> Result<(), Self::Error> {
    // Extended data includes stderr (ext == 1)
    // localhost.run sends URL info through stderr
    if let Ok(message) = String::from_utf8(data.to_vec()) {
        info!("Received extended data (type {}): {}", ext, message);
        let _ = self.message_tx.send(message);
    }
    Ok(())
}
```

### 2. Regular Data Capture

We also capture regular stdout data:

```rust
async fn data(
    &mut self,
    _channel: ChannelId,
    data: &[u8],
    _session: &mut client::Session,
) -> Result<(), Self::Error> {
    if let Ok(message) = String::from_utf8(data.to_vec()) {
        debug!("Received data: {}", message);
        let _ = self.message_tx.send(message);
    }
    Ok(())
}
```

### 3. Shell Session

After setting up port forwarding, we open a shell session to trigger welcome messages:

```rust
// Open a shell session to receive server messages
match handle.channel_open_session().await {
    Ok(channel) => {
        info!("Opened shell session to receive server messages");
        // Request a shell - this triggers the server to send welcome messages
        if let Err(e) = channel.request_shell(false).await {
            warn!("Failed to request shell: {}", e);
        }
        // Keep the channel open to receive messages
    }
    Err(e) => {
        warn!("Could not open shell session: {}", e);
    }
}
```

### 4. Message Processing

All captured messages are sent through a channel to the application, where they're processed:

```rust
client.run_with_message_handler(move |message| {
    // Print all server messages
    if !message.trim().is_empty() {
        println!("📨 [Server] {}", message.trim());
    }

    // Look for URLs
    if message_lower.contains("http://") || message_lower.contains("https://") {
        // Extract and display the URL
        // ...
    }
}).await?;
```

## URL Extraction Algorithm

1. **Receive all messages** from both stdout and stderr
2. **Search for "http://" or "https://"** in each message
3. **Extract the full URL** by finding boundaries (whitespace, punctuation)
4. **Validate** that it's a localhost.run URL
5. **Display prominently** once detected
6. **Log all messages** so users can see them even if auto-detection fails

## Debugging

If the URL isn't automatically detected, users can:

1. **Check the console output** - All server messages are logged with 📨 or 🔗 emoji
2. **Wait 10 seconds** - A fallback message appears with instructions
3. **Use traditional SSH** - Compare: `ssh -R 80:localhost:8080 localhost.run`

Example debug output:
```
📨 [Server] Welcome to localhost.run!
🔗 [Server] https://abc123.localhost.run tunnels to localhost:8080
📨 [Server] Press Ctrl-C to stop the tunnel
```

## Why Multiple Capture Methods?

Different SSH servers behave differently:

- **localhost.run** - Sends URL via shell welcome message
- **Other services** - May use stdout, stderr, or custom channels
- **Standard SSH servers** - May not send any special messages

By implementing multiple capture methods, we ensure maximum compatibility.

## Testing the Capture

You can verify the capture mechanism works by:

1. Running with debug logging:
   ```bash
   RUST_LOG=debug cargo run --example localhost_run
   ```

2. Checking for these log messages:
   - `"Opened shell session to receive server messages"`
   - `"Shell requested successfully"`
   - `"Received data: ..."` or `"Received extended data: ..."`

3. Looking for server messages in the output:
   - Lines starting with `📨 [Server]` or `🔗 [Server]`

## Comparison with Traditional SSH

Traditional SSH command:
```bash
ssh -R 80:localhost:8080 localhost.run
```

This works because:
1. OpenSSH client automatically displays stdin/stdout/stderr
2. The terminal shows everything the server sends
3. You see the URL immediately

Our implementation replicates this by:
1. Capturing stdin/stdout/stderr programmatically
2. Processing messages to extract URLs
3. Displaying them in a formatted way

## Future Improvements

Potential enhancements:

1. **Pattern matching** - Support more URL patterns
2. **QR code generation** - Display QR code for mobile access
3. **Clipboard integration** - Auto-copy URL to clipboard
4. **Desktop notifications** - Show system notification with URL
5. **URL validation** - Verify URL is accessible before displaying

## Related Files

- `src/lib.rs` - Core capture implementation (`extended_data()`, `data()` handlers)
- `examples/localhost_run.rs` - URL extraction and display logic
- `EXAMPLE_OUTPUT.md` - Shows expected output with URL capture

## Technical Details

### SSH Channel Types

1. **Session channels** - For shell, exec, subsystem
2. **Forwarded channels** - For port forwarding (our tunneled connections)
3. **Direct channels** - For direct TCP/IP connections

### Data Types

- **Type 0** - Normal data (stdout)
- **Type 1** - Extended data (stderr)
- **Type 2+** - Custom application-specific data

### Message Flow

```
localhost.run server
   SSH Protocol
  russh library
Handler::extended_data() / Handler::data()
  Message Channel
 run_with_message_handler()
   URL Extraction
  Console Display
```

## Security Considerations

- **No credentials in URLs** - localhost.run URLs are public but temporary
- **SSL/TLS** - URLs use HTTPS by default
- **Message filtering** - We only extract and display URLs, not sensitive data
- **Logging** - All messages are logged but not persisted to disk

## Troubleshooting Guide

### "missing _lhr TXT record" Error

**Problem**: Error message `missing _lhr TXT record on 0.0.0.0`

**Cause**: Using `"0.0.0.0"` as bind address instead of empty string `""`

**Solution**: This is now fixed in the library. If you see this error with the latest version:
1. Make sure you're using the latest code
2. Check that `tcpip_forward` is called with `""` not `"0.0.0.0"`
3. Restart your connection

### URL Not Captured

**Problem**: Tunnel connects but URL doesn't appear

**Solutions**:
1. Check server messages (📨 lines in output)
2. Look for ⚠️ warning messages indicating errors
3. Wait 10 seconds for fallback message
4. Enable debug logging: `RUST_LOG=debug`
5. Try traditional SSH to compare: `ssh -R 80:localhost:8080 localhost.run`

### Messages Not Received

**Problem**: No server messages appear at all

**Solutions**:
1. Ensure tunnel is actually connected (check for "Reverse tunnel established")
2. Verify shell session opened (look for "Opened shell session" log)
3. Check if server supports shell sessions
4. Try with different SSH server for comparison

### Wrong URL Format

**Problem**: URL detected but formatted incorrectly

**Solutions**:
1. Check the raw server message (📨 output)
2. Verify URL extraction regex in `localhost_run.rs`
3. Report issue with example server message

## Performance Impact

The URL capture mechanism has minimal performance impact:

- **CPU**: Negligible (simple string operations)
- **Memory**: ~1KB per message
- **Latency**: No impact on tunnel performance
- **Network**: No additional requests

Messages are processed asynchronously and don't block tunnel operations.