Skip to content

picosh/tunkit

Repository files navigation

tunkit - ssh tunnel tooling

  • Passwordless authentication for the browser using SSH local forwarding.
  • Implemented as wish middleware.

Passwordless authentication

The end-user creates a local forward SSH tunnel to a service running tunkit. tunkit spins up a dedicated web service for that tunnel -- using a unix socket. Then the user can access that web service using localhost. The web service can then access the SSH context in order to know who the user is and what they are authorized to do within the web service.

Why?

Sometimes all you have is an ssh keypair for authenticating a user and don't want to require them to create a completely separate auth mechanism for website access.

For example, have you ever wished you could use docker push and docker pull using just an SSH keypair? Well now it's possible.

Run our cmd/docker example to see it in action!

# setup auth
mkdir ssh_data
cat ~/.ssh/id_ed25519.pub > ./ssh_data/authorized_keys

# start a registry
docker run -d -p 5000:5000 --restart always --name registry registry:2
# run the SSH app
REGISTRY_URL="localhost:5000" go run ./cmd/docker
# connect to SSH app
ssh -L 1338:localhost:80 \
		-p 2222 \
		-o UserKnownHostsFile=/dev/null \
		-o StrictHostKeyChecking=no \
		-N \
		localhost

# tag image
docker tag alpine localhost:1338/alpine
# push image
docker push localhost:1338/alpine:latest
# pull image
docker pull localhost:1338/alpine:latest

We built this library to support imgs.sh: a private docker registry leveraging SSH tunnels.

Examples

Checkout our cmd/ folder for more examples.

go run ./cmd/example
ssh -L 0.0.0.0:1338:localhost:80 \
		-p 2222 \
		-o UserKnownHostsFile=/dev/null \
		-o StrictHostKeyChecking=no \
		-N \
		localhost

Go to http://localhost:1338