Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add experimental SSH management tool #2439

Open
plorenz opened this issue Sep 25, 2024 · 2 comments · May be fixed by #2440
Open

Add experimental SSH management tool #2439

plorenz opened this issue Sep 25, 2024 · 2 comments · May be fixed by #2440
Assignees
@plorenz
Labels
enhancement New feature or request

Comments

@plorenz
Copy link
Member

plorenz commented Sep 25, 2024
edited
Loading

Allow SSH to controllers and routers over the mgmt and control channels.

Note: Both the enabled and enableExperimentalFeature flags must be set to true.

Using a local ssh server. If dialing a local service, the format must be 127.0.0.1:<port>. No external IP or hostname may be used.

mgmt:
  pipe:
    enabled: true
    enableExperimentalFeature: true
    destination: 127.0.0.1:22

If there's no ssh server running, an embedded ssh server may be used.

mgmt:
  pipe:
    enabled: true
    enableExperimentalFeature: true
    destination: embedded-ssh-server
    authorizedKeysFile: /home/plorenz/tmp/authorized_keys # optional, will default to $HOME/.ssh/authorized_keys
    shell: /usr/bin/bash # optional, will default to `/bin/sh`

If you want to enable the feature, but don't want ssh access enabled on the controller itself, don't specify a destination.

Example:

mgmt:
  pipe:
    enabled: true
    enableExperimentalFeature: true

The feature must be enabled on each controller and router you want to access. Because access to routers is through a controller, the feature must be enabled on both the controller and the router, though as noted above, ssh access to the controller itself is not necessary.

Example use:

  • ziti fabric ssh --key /path/to/keyfile ctrl_client
  • ziti fabric ssh --key /path/to/keyfile ubuntu@ctrl_client
  • ziti fabric ssh --key /path/to/keyfile -u ubuntu ctrl_client
  • ssh -i ~/.fablab/instances/smoketest/ssh_private_key.pem -o ProxyCommand='ziti fabric ssh router-east-1 --proxy-mode' ubuntu@router-east-1
  • scp -i ~/.fablab/instances/smoketest/ssh_private_key.pem -o ProxyCommand='ziti fabric ssh ctrl1 --proxy-mode' ubuntu@ctrl1:./fablab/bin/ziti .
@plorenz plorenz added the enhancement New feature or request label Sep 25, 2024
@plorenz plorenz self-assigned this Sep 25, 2024
plorenz added a commit that referenced this issue Sep 25, 2024
@plorenz
Experimental support for accessing ziti components over the mgmt/ctrl…
ae74cf5 
… channels. Fixes #2439
@emoscardini
Copy link
Contributor

emoscardini commented Sep 25, 2024
edited
Loading

@plorenz For the question

Should it be 127.0.0.1 instead of localhost?

IMO, I would go with 127.0.0.1 instead of localhost. The localhost is still a resolvable name & therefore can be redirected to something other than 127.0.0.1.

@qrkourier qrkourier linked a pull request Sep 25, 2024 that will close this issue
Open
plorenz added a commit that referenced this issue Sep 25, 2024
@plorenz
Experimental support for accessing ziti components over the mgmt/ctrl…
b953349 
… channels. Fixes #2439
plorenz added a commit that referenced this issue Oct 29, 2024
@plorenz
Experimental support for accessing ziti components over the mgmt/ctrl…
4b04075 
… channels. Fixes #2439
plorenz added a commit that referenced this issue Nov 4, 2024
@plorenz
Experimental support for accessing ziti components over the mgmt/ctrl…
ab4d98c 
… channels. Fixes #2439
plorenz added a commit that referenced this issue Jan 24, 2025
@plorenz
Experimental support for accessing ziti components over the mgmt/ctrl…
f20fb67 
… channels. Fixes #2439
@qrkourier
Copy link
Member

The opt-in to experimental features flag seems an excellent way to introduce things like this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@plorenz plorenz

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add support for accessing ziti components over the mgmt/ctrl channels. Fixes #2439 openziti/ziti
3 participants
@plorenz @qrkourier @emoscardini