sshbind 0.1.0

SSHBind is a Rust library that securely binds remote services behind multiple SSH jump hosts to a local socket, enabling seamless access with encrypted credential management, TOTP-based two-factor authentication, and automatic reconnection.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158

{
  pkgs,
  lib,
  ...
}: let
  bobPassword = "bob";
  nodes = {
    user = {...}: {
      users.users.alice = {
        isNormalUser = true;
        useDefaultShell = true;
        description = "alice";
        initialPassword = "alice";
        packages = with pkgs; [
          age
          sops
          sshbind
        ];
      };
      environment.systemPackages = with pkgs; [
        btop
        wget
        socat
        dig
        tcpkali
        iperf
        sockperf
        stress-ng
        wrk2
        oha
        tokio-console
      ];
    };
    target = {...}: {
      users.users.bob = {
        isNormalUser = true;
        useDefaultShell = true;
        description = "bob";
        initialPassword = bobPassword;
        packages = with pkgs; [
          socat
        ];
      };
      networking.firewall.allowedTCPPorts = [80 8080];
      services = {
        openssh = {
          enable = true;
          settings = {
            PasswordAuthentication = true;
            MaxSessions = 5; # Allow more concurrent sessions
            # MaxStartups = "20:30:60"; # Allow more concurrent connections
            # ClientAliveInterval = 60;
            # ClientAliveCountMax = 10;
          };
        };
        httpd = {
          enable = true;
          virtualHosts = {
            "default" = {
              listen = [
                {
                  ip = "0.0.0.0";
                  port = 80;
                }
                {
                  ip = "127.0.0.1";
                  port = 8000;
                }
              ];
              documentRoot = "/etc/var/www";
              extraConfig = ''
                <Directory "/etc/var/www">
                  Require all granted
                </Directory>
              '';
            };
          };
        };
      };
      environment.etc = {
        "var/www/index.html".text = ''
          Hello from NixOS!
        '';
      };
      environment.systemPackages = with pkgs; [
        iperf
        sockperf
        stress-ng
      ];
    };
  };
in
  pkgs.nixosTest {
    name = "Performance Throughput Stability Testing";
    inherit nodes;

    testScript = ''
      start_all()

      for m in machines:
          m.wait_for_unit("multi-user.target")

      for m in machines:
          m.wait_for_unit("network.target")

      def setup_sops(m: Machine, user: str):
          out = m.succeed(f"su -l {user} -c 'age-keygen -o age.key 2>&1'")
          age_pk = out.split("key: ")[1].strip()

          m.succeed(f"su -l {user} -c 'mkdir -p ~/.config/sops/age/ && mv age.key ~/.config/sops/age/keys.txt'")
          m.succeed(f"su -l {user} -c 'chmod 600 ~/.config/sops/age/keys.txt'")

          creds = "target:22:\n  username: bob\n  password: ${bobPassword}\n"
          creds += "192.168.10.1:22:\n  username: bob\n  password: ${bobPassword}\n"
          with open("secrets.yaml", "w") as f:
              f.write(creds)

          sops_config = f"""keys:\n  - &my_age_keys {age_pk}\n"""
          sops_config += """creation_rules:\n  - path_regex: \\.yaml$\n"""
          sops_config += "    key_groups:\n      - age:\n        - *my_age_keys"
          with open(".sops.yaml", "w") as f:
              f.write(sops_config)

          m.copy_from_host("secrets.yaml", f"/home/{user}/secrets.yaml")
          m.copy_from_host(".sops.yaml", f"/home/{user}/.sops.yaml")
          m.succeed(f"chown {user}:users -R /home/{user}/")
          m.succeed(f"su -l {user} -c 'sops --in-place --encrypt secrets.yaml'")

      # Setup sops for alice
      setup_sops(user, "alice")

      user.send_chars("alice\n")
      user.sleep(1)
      user.send_chars("alice\n")


      # Testing basic cli usage
      user.succeed("su -l alice -c 'RUST_BACKTRACE=full sshbind bind -a 127.0.0.1:8000 -r 127.0.0.1:80 -j target:22 -s ~/secrets.yaml'")
      user.succeed("su -l alice -c 'RUST_BACKTRACE=full sshbind bind -a 127.0.0.1:8001 -r 127.0.0.1:80 -j target:22 -s ~/secrets.yaml'")
      user.succeed("su -l alice -c 'RUST_BACKTRACE=full sshbind bind -a 127.0.0.1:8002 -r 127.0.0.1:8000 -j target:22 -s ~/secrets.yaml'")
      user.succeed("su -l alice -c 'RUST_BACKTRACE=full sshbind bind -a 127.0.0.1:8003 -r 127.0.0.1:8000 -j target:22 -s ~/secrets.yaml'")
      user.succeed(r"""su -l alice -c 'RUST_BACKTRACE=full sshbind bind -a 127.0.0.1:8004 -r 127.0.0.1:11111 -j target:22 -s ~/secrets.yaml -c "sockperf sr -i 127.0.0.1 -p 11111 --tcp"'""")
      user.succeed(r"""su -l alice -c 'RUST_BACKTRACE=full sshbind bind -a 127.0.0.1:8005 -r 127.0.0.1:5201 -j target:22 -s ~/secrets.yaml -c "iperf3 -s"'""")

      user.send_chars("iperf3 -c 127.0.0.1 -p 8005 \n")
      # print(user.succeed(r"oha -c 200 -z 10s http://127.0.0.1:8000"))
      # print(user.succeed(r"oha -c 200 -z 10s http://127.0.0.1:8001"))
      # print(user.succeed(r"oha -c 200 -z 10s http://127.0.0.1:8002"))
      # print(user.succeed(r"oha -c 200 -z 10s http://127.0.0.1:8003"))
      # user.send_chars("btop\n")
      # print(user.succeed("cat /home/alice/.local/share/sshbind/sshbind_*"))

      # user.succeed("sockperf pp -i 127.0.0.1 -p 8004 -m 350 -t 30 --tcp")
      # user.succeed("sockperf ul -i 127.0.0.1 -p 8004 -m 200 -t 30 --mps 100000 --tcp")
      # user.succeed("sockperf tp -i 127.0.0.1 -p 8004 -m 1400 -t 15 --tcp")

    '';
  }