man-psusan.but 18 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430
  1. \cfg{man-identity}{psusan}{1}{2020-12-13}{PuTTY tool suite}{PuTTY tool suite}
  2. \H{psusan-manpage} Man page for \cw{psusan}
  3. \S{psusan-manpage-name} NAME
  4. \cw{psusan} \- pseudo-SSH for untappable, separately authenticated networks
  5. \S{psusan-manpage-synopsis} SYNOPSIS
  6. \c psusan [ options ]
  7. \e bbbbbb iiiiiii
  8. \S{psusan-manpage-description} DESCRIPTION
  9. \cw{psusan} is a server program that behaves like the innermost
  10. \q{connection} layer of an SSH session, without the two outer security
  11. layers of encryption and authentication. It provides all the
  12. post-authentication features of an SSH connection:
  13. \b choosing whether to run an interactive terminal session or a single
  14. specified command
  15. \b multiple terminal sessions at once (or a mixture of those and
  16. specified commands)
  17. \b SFTP file transfer
  18. \b all the standard SSH port-forwarding options
  19. \b X11 forwarding
  20. \b SSH agent forwarding
  21. The catch is that, because it lacks the outer layers of SSH, you have
  22. to run it over some kind of data channel that is already authenticated
  23. as the right user, and that is already protected to your satisfaction
  24. against eavesdropping and session hijacking. A good rule of thumb is
  25. that any channel that you were prepared to run a \e{bare} shell
  26. session over, you can run \cw{psusan} over instead, which adds all the
  27. above conveniences without changing the security properties.
  28. The protocol that \cw{psusan} speaks is also spoken by PuTTY, Plink,
  29. PSCP, and PSFTP, if you select the protocol type \q{Bare ssh-connection}
  30. or the command-line option \cw{-ssh-connection} and specify the
  31. absolute path to the appropriate Unix-domain socket in place of
  32. a hostname.
  33. \S{psusan-manpage-examples} EXAMPLES
  34. The idea of a secure, pre-authenticated data channel seems strange to
  35. people thinking about \e{network} connections. But there are lots of
  36. examples within the context of a single Unix system, and that's where
  37. \cw{psusan} is typically useful.
  38. \S2{psusan-manpage-examples-docker} Docker
  39. A good example is the console or standard I/O channel leading into a
  40. container or virtualisation system. Docker is a familiar example. If
  41. you want to start a Docker container and run a shell directly within
  42. it, you might say something like
  43. \c docker run -i -t some:image
  44. \e iiiiiiiiii
  45. which will allow you to run a single shell session inside the
  46. container, in the same terminal you started Docker from.
  47. Suppose that you'd prefer to run \e{multiple} shell sessions in the
  48. same container at once (perhaps so that one of them can use debugging
  49. tools to poke at what another is doing). And perhaps inside that
  50. container you're going to run a program that you don't trust with full
  51. access to your network, but are prepared to let it make one or two
  52. specific network connections of the kind you could set up with an SSH
  53. port forwarding.
  54. In that case, you could remove the \cw{-t} option from that Docker
  55. command line (which means \q{allocate a terminal device}), and tell it
  56. to run \cw{psusan} inside the container:
  57. \c docker run -i some:image /some/path/to/psusan
  58. \e iiiiiiiiii iiiiiiiiiiii
  59. (Of course, you'll need to ensure that \cw{psusan} is installed
  60. somewhere inside the container image.)
  61. If you do that from a shell command line, you'll see a banner line
  62. looking something like this:
  63. \c SSHCONNECTION@putty.projects.tartarus.org-2.0-PSUSAN_Release_0.75
  64. which isn't particularly helpful except that it tells you that
  65. \cw{psusan} has started up successfully.
  66. To talk to this server \e{usefully}, you can set up a PuTTY saved
  67. session as follows:
  68. \b Set the protocol to \q{Bare ssh-connection} (the \cw{psusan}
  69. protocol).
  70. \b Write \e{something} in the hostname box. It will appear in PuTTY's
  71. window title (if you run GUI PuTTY), so you might want to write
  72. something that will remind you what kind of window it is. If you have
  73. no opinion, something generic like \cq{dummy} will do.
  74. \b In the \q{Proxy} configuration panel, set the proxy type to
  75. \q{Local}, and enter the above \cq{docker run} command in the
  76. \q{Telnet command, or local proxy command} edit box.
  77. \b In the \q{SSH} configuration panel, you will very likely want to
  78. turn on connection sharing. (See below.)
  79. This arranges that when PuTTY starts up, it will run the Docker
  80. command as shown above in place of making a network connection, and
  81. talk to that command using the \cw{psusan} SSH-like protocol.
  82. The effect is that you will still get a shell session in the context
  83. of a Docker container. But this time, it's got all the SSH amenities.
  84. If you also turn on connection sharing in the \q{SSH} configuration
  85. panel, then the \q{Duplicate Session} option will get you a second
  86. shell in the \e{same} Docker container (instead of a primary shell in
  87. a separate instance). You can transfer files in and out of the
  88. container while it's running using PSCP or PSFTP; you can forward
  89. network ports, X11 programs, and/or an SSH agent to the container.
  90. Of course, another way to do all of this would be to run the \e{full}
  91. SSH protocol over the same channel. This involves more setup: you have
  92. to invent an SSH host key for the container, accept it in the client,
  93. and deal with it being left behind in your client's host key cache
  94. when the container is discarded. And you have to set up some login
  95. details in the container: either configure a password, and type it in
  96. the client, or copy in the public half of some SSH key you already
  97. had. And all this inconvenience is \e{unnecessary}, because these are
  98. all precautions you need to take when the connection between two
  99. systems is going over a hostile network. In this case, it's only going
  100. over a kernel IPC channel that's guaranteed to go to the right place,
  101. so those safety precautions are redundant, and they only add
  102. awkwardness.
  103. \S2{psusan-manpage-examples-uml} User-mode Linux
  104. User-mode Linux is another container type you can talk to in the same
  105. way. Here's a small worked example.
  106. The \e{easiest} way to run UML is to use its \cq{hostfs} file system
  107. type to give the guest kernel access to the same virtual filesystem as
  108. you have on the host. For example, a command line like this gets you a
  109. shell prompt inside a UML instance sharing your existing filesystem:
  110. \c linux mem=512M rootfstype=hostfs rootflags=/ rw init=/bin/bash
  111. If you run this at a command line (assuming you have a UML kernel
  112. available on your path under the name \cq{linux}), then you should see
  113. a lot of kernel startup messages, followed by a shell prompt along the
  114. lines of
  115. \c root@(none):/#
  116. To convert this into a \cw{psusan}-based UML session, we need to
  117. adjust the command line so that instead of running \cw{bash} it runs
  118. \cw{psusan}. But running \cw{psusan} directly isn't quite enough,
  119. because \cw{psusan} will depend on a small amount of setup, such as
  120. having \cw{/proc} mounted. So instead, we set the init process to a
  121. shell script which will do the necessary setup and \e{then} invoke
  122. \cw{psusan}.
  123. Also, running \cw{psusan} directly over the UML console device is a
  124. bad idea, because then the \cw{psusan} binary protocol will be mixed
  125. with textual console messages. So a better plan is to redirect UML's
  126. console to the standard error of the \cw{linux} process, and map its
  127. standard input and output to a serial port. So the replacement UML
  128. command line might look something like this:
  129. \c linux mem=512M rootfstype=hostfs rootflags=/ rw \
  130. \c con=fd:2,fd:2 ssl0=fd:0,fd:1 init=/some/path/to/uml-psusan.sh
  131. \e iiiiiiiiiiiiiiiiiiiiiiiiiii
  132. And the setup script \cw{uml-psusan.sh} might look like this:
  133. \c #!/bin/bash
  134. \c # Set up vital pseudo-filesystems
  135. \e iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii
  136. \c mount -t proc none /proc
  137. \c mount -t devpts none /dev/pts
  138. \c # Redirect I/O to the serial port, but stderr to the console
  139. \e iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii
  140. \c exec 0<>/dev/ttyS0 1>&0 2>/dev/console
  141. \c # Set the serial port into raw mode, to run a binary protocol
  142. \e iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii
  143. \c stty raw -echo
  144. \c # Choose what shell you want to run inside psusan
  145. \e iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii
  146. \c export SHELL=/bin/bash
  147. \c # Set up a default path
  148. \e iiiiiiiiiiiiiiiiiiiiiii
  149. \c export PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin
  150. \c # And now run psusan over the serial port
  151. \e iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii
  152. \c exec /home/simon/src/putty/misc/psusan
  153. Now set up a PuTTY saved session as in the Docker example above.
  154. Basically you'll want to use the above \cw{linux} command as the local
  155. proxy command. However, it's worth wrapping it in \cw{setsid}(\e{1}),
  156. because when UML terminates, it kills its entire process group. So
  157. it's better that PuTTY should not be part of that group, and should
  158. have the opportunity to shut down cleanly by itself. So probably you
  159. end up setting the proxy command to be something more like:
  160. \c setsid linux mem=512M rootfstype=hostfs rootflags=/ rw \
  161. \c con=fd:2,fd:2 ssl0=fd:0,fd:1 init=/some/path/to/uml-psusan.sh
  162. \e iiiiiiiiiiiiiiiiiiiiiiiiiii
  163. You may also find that you have to enable the bug workaround that
  164. indicates that the server \q{Discards data sent before its greeting},
  165. because otherwise PuTTY's outgoing protocol greeting can be
  166. accidentally lost during UML startup. (See
  167. \W{https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991958}{Debian
  168. bug #991958}.)
  169. Once you've done that, you'll have a PuTTY session that starts up a
  170. clean UML instance when you run it, and (if you enabled connection
  171. sharing) further instances of the same session will connect to the
  172. same instance again.
  173. \S2{psusan-manpage-examples-wsl} Windows Subsystem for Linux
  174. On Windows, the default way to use WSL is to run the \cw{wsl} program,
  175. or one of its aliases, in a Windows console, either by launching it
  176. from an existing command prompt, or by using a shortcut that opens it
  177. in a fresh console. This gives you a Linux terminal environment, but
  178. in a Windows console window.
  179. If you'd prefer to interact with the same environment using PuTTY as
  180. the terminal (for example, if you prefer PuTTY's mouse shortcuts for
  181. copy and paste), you can set it up by installing \cw{psusan} in the
  182. Linux environment, and then setting up a PuTTY saved session that
  183. talks to it. A nice way to do this is to use the name of the WSL
  184. distribution as the \q{host name}:
  185. \b set the local proxy command to \cq{wsl -d %host
  186. /usr/local/bin/psusan} (or wherever you installed \cw{psusan} in the
  187. Linux system)
  188. \b enter the name of a particular WSL distribution in the host name
  189. box. (For example, if you installed WSL Debian in the standard way
  190. from the Windows store, this will just be \q{Debian}.)
  191. \b set the protocol to \q{Bare ssh-connection}, as usual.
  192. Like all the other examples here, this also permits you to forward
  193. ports in and out of the WSL environment (e.g. expose a WSL2 network
  194. service through the hypervisor's internal NAT), forward Pageant into
  195. it, and so on.
  196. \S2{psusan-manpage-examples-cygwin} Cygwin
  197. Another Unix-like environment on Windows is Cygwin. That comes with
  198. its own GUI terminal application, \cw{mintty} (as it happens, a
  199. derivative of PuTTY); but if you'd prefer to use PuTTY itself to talk
  200. to your Cygwin terminal sessions, \cw{psusan} can help.
  201. To do this, you'll first need to build the Unix PuTTY tools inside
  202. Cygwin (via the usual \cw{cmake} method). Then, copy the resulting
  203. \cw{psusan.exe} into Cygwin's \cw{/bin} directory. (It has to be
  204. in that directory for non-Cygwin programs to run it; otherwise it
  205. won't be able to find the Cygwin DLL at startup.)
  206. Then set up your PuTTY saved session like this:
  207. \b set the local proxy command to run \cw{psusan.exe} via its real
  208. Windows path. You might also want to add the \cw{--sessiondir} option
  209. so that shell sessions start up in your Cygwin home directory. For
  210. example, you might use the command \cq{c:\\cygwin64\\bin\\psusan.exe
  211. --sessiondir /home/simon} (changing the pathname and username to match
  212. your setup).
  213. \b enter anything you like in the host name box; \cq{Cygwin} is
  214. probably a good choice
  215. \b set the protocol to \q{Bare ssh-connection}, as usual.
  216. Port forwarding is probably not particularly useful in this case,
  217. since Cygwin shares the same network port space as the host machine.
  218. But turning on agent forwarding is useful, because then the Cygwin
  219. command-line SSH client can talk to Pageant without any further
  220. configuration.
  221. \S2{psusan-manpage-examples-schroot} \cw{schroot}
  222. Another example of a container-like environment is the alternative
  223. filesystem layout set up by \cw{schroot}(\e{1}).
  224. \cw{schroot} is another program that defaults to running an
  225. interactive shell session in the terminal you launched it from. But
  226. again, you can get a \cw{psusan} connection into the \cw{schroot}
  227. environment by setting up a PuTTY saved session whose local proxy
  228. command is along the lines of
  229. \c schroot -c chroot-name /some/path/to/psusan
  230. \e iiiiiiiiiii iiiiiiiiiiii
  231. Depending on how much of the chroot environment is copied from your
  232. main one, you might find this makes it easier to (for example) run X11
  233. programs inside the chroot that open windows on your main X display,
  234. or transfer files in and out of the chroot.
  235. \S2{psusan-manpage-examples-namespace} Between network namespaces
  236. If you've set up multiple network namespaces on a Linux system, with
  237. different TCP/IP configurations, then \cw{psusan} can be a convenient
  238. unprivileged-user gateway between them, if you run it as a non-root
  239. user in the non-default one of your namespaces, listening for
  240. connections on a Unix-domain socket.
  241. If you do that, then it gives you convenient control over which of
  242. your outgoing network connections use which TCP/IP configuration: you
  243. can use PuTTY to run a shell session in the context of the other
  244. namespace if you want to run commands like \cw{ping}, or you can set
  245. up individual port forwardings or even a SOCKS server so that
  246. processes running in one namespace can send their network connections
  247. via the other one.
  248. For this application, it's probably most convenient to use the
  249. \cw{--listen} option in \cw{psusan}, which makes it run as a server
  250. and listen for connections on a Unix-domain socket. Then you can enter
  251. that socket name in PuTTY's host name configuration field (and also
  252. still select the \q{Bare ssh-connection} protocol option), to connect
  253. to that socket as if it were an SSH client.
  254. Provided the Unix-domain socket is inside a directory that only the
  255. right user has access to, this will ensure that authentication is done
  256. implicitly by the Linux kernel.
  257. \S2{psusan-manpage-examples-userv} Between user ids, via GNU userv
  258. If you use multiple user ids on the same machine, say for purposes of
  259. privilege separation (running some less-trusted program with limited
  260. abilities to access all your stuff), then you probably have a
  261. \q{default} or most privileged account where you run your main login
  262. session, and sometimes need to run a shell in another account.
  263. \cw{psusan} can be used as an access channel between the accounts,
  264. using GNU \cw{userv}(\e{1}) as the transport. In the account you want
  265. to access, write a \cw{userv} configuration stanza along the lines of
  266. \c if (glob service psusan & glob calling-user my-main-account-name)
  267. \e iiiiiiiiiiiiiiiiiiii
  268. \c reset
  269. \c execute /some/path/to/psusan
  270. \e iiiiiiiiiiii
  271. \c fi
  272. This gives your main account the right to run the command
  273. \c userv my-sub-account-name psusan
  274. \e iiiiiiiiiiiiiiiiiii
  275. and you can configure that command name as a PuTTY local proxy
  276. command, in the same way as most of the previous examples.
  277. Of course, there are plenty of ways already to access one local
  278. account from another, such as \cw{sudo}. One advantage of doing it
  279. this way is that you don't need the system administrator to intervene
  280. when you want to change the access controls (e.g. change which of your
  281. accounts have access to another): as long as you have \e{some} means
  282. of getting into each account in the first place, and \cw{userv} is
  283. installed, you can make further configuration changes without having
  284. to bother root about it.
  285. Another advantage is that it might make file transfer between the
  286. accounts easier. If you're the kind of person who keeps your home
  287. directories private, then it's awkward to copy a file from one of your
  288. accounts to another just by using the \cw{cp} command, because there's
  289. nowhere convenient that you can leave it in one account where the
  290. other one can read it. But with \cw{psusan} over \cw{userv}, you don't
  291. need any shared piece of filesystem: you can \cw{scp} files back and
  292. forth without any difficulty.
  293. \S{psusan-manpage-options} OPTIONS
  294. The command-line options supported by \cw{psusan} are:
  295. \dt \cw{--listen} \e{unix-socket-name}
  296. \dd Run \cw{psusan} in listening mode. \e{unix-socket-name} is the
  297. pathname of a Unix-domain socket to listen on. You should ensure that
  298. this pathname is inside a directory whose read and exec permissions
  299. are restricted to only the user(s) you want to be able to access the
  300. environment that \cw{psusan} is running in.
  301. \lcont{
  302. The listening socket has to be a Unix-domain socket. \cw{psusan} does
  303. not provide an option to run over TCP/IP, because the unauthenticated
  304. nature of the protocol would make it inherently insecure.
  305. }
  306. \dt \cw{--listen-once}
  307. \dd In listening mode, this option causes \cw{psusan} to listen for
  308. only one connection, and exit immediately after that connection
  309. terminates.
  310. \dt \cw{--sessiondir} \e{pathname}
  311. \dd This option sets the directory that shell sessions and
  312. subprocesses will start in. By default it is \cw{psusan}'s own working
  313. directory, but in some situations it's easier to change it with a
  314. command-line option than by wrapping \cw{psusan} in a script that
  315. changes directory before starting it.
  316. \dt \cw{-v}, \cw{--verbose}
  317. \dd This option causes \cw{psusan} to print verbose log messages on
  318. its standard error. This is probably most useful in listening mode.
  319. \dt \cw{\-sshlog} \e{logfile}
  320. \dt \cw{\-sshrawlog} \e{logfile}
  321. \dd These options cause \cw{psusan} to log protocol details to a file,
  322. similarly to the logging options in PuTTY and Plink.
  323. \lcont{
  324. \cw{\-sshlog} logs decoded SSH packets and other events (those that
  325. \cw{\-v} would print). \cw{\-sshrawlog} additionally logs the raw wire
  326. data, including the outer packet format and the initial greetings.
  327. }