-
-
Notifications
You must be signed in to change notification settings - Fork 315
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Restricting custom domains to specific SSH keys #321
Comments
Hey @antoniomika, no rush, but are you able to look into this? Thanks 😄 |
Are you using the |
I'm using |
@EpicEric Are you able to share your config and exactly what you put in the TXT record? |
The documentation referring to the _sish record is in accordance with this change, which hasn't been released in a tagged version yet. I believe you still need to use I'm running sish with these options: # compose.yml
services:
sish:
# ... snip ...
image: docker.io/antoniomika/sish@main
command: |
--ssh-address=:22
--http-address=:80
--https-address=:443
--authentication-keys-directory=/pubkeys
--private-keys-directory=/keys
--https-certificate-directory=/ssl
--https-ondemand-certificate=true
--https-ondemand-certificate-accept-terms=true
--https-ondemand-certificate-email=admin@my.domain
--https=true
--force-https=true
--log-to-client=true
--idle-connection=false
--bind-random-aliases=false
--bind-random-ports=false
--bind-random-subdomains=false
--bind-random-subdomains-length=6
--http-load-balancer=true
--tcp-load-balancer=true
--alias-load-balancer=true
--time-format=2006-01-02T15:04:05
--domain=my.domain I believe the only relevant option is |
Even when using the Docker image you are using, no matter whether I'm using the old TXT record or new one, it still allows anyone to bind to it. This is my full config: authentication-keys-directory: "/pubkeys"
banned-subdomains: localhost, www
bind-any-host: false
bind-hosts: t.hrsn.dev,t.wdh.gg
bind-random-aliases: false
bind-random-ports: true
bind-random-subdomains: false
bind-random-subdomains-length: 12
domain: "t.hrsn.net"
http-address: "tcp://107.150.46.51:80,tcp6://[2604:4300:a:149::6d96:2e33]:80"
https: true
https-address: "tcp://107.150.46.51:443,tcp6://[2604:4300:a:149::6d96:2e33]:443"
https-certificate-directory: "/ssl"
port-bind-range: 1000-1999
private-keys-directory: "/keys"
redirect-root: true
redirect-root-location: https://hrsn.net/#tunnels
ssh-address: "tcp://107.150.46.51:2222,tcp6://[2604:4300:a:149::6d96:2e33]:2222"
tcp-address: "tcp://107.150.46.51,tcp6://[2604:4300:a:149::6d96:2e33]" This is my Docker compose file: services:
sish:
image: antoniomika/sish:main
container_name: sish
volumes:
- /etc/letsencrypt:/etc/letsencrypt
- ./pubkeys:/pubkeys
- ./keys:/keys
- ./ssl:/ssl
- ./config.yml:/config.yml:ro
command: |
--config=/config.yml
network_mode: host
restart: always A couple questions:
|
Actually, reading on the documentation for |
So I should set that option to true and remove the FYI, I intend to host subdomains on t.wdh.gg, not wdh.gg, (e.g. tunnel123.t.wdh.gg). |
You can leave that as is, then. |
With the current implementation of verifyDNS, Going through the code, I believe the option you'll want is |
I tried that option with both types of TXT records, and it didn't work, not sure why. I also tried both with and without Is it possible that the TXT record verification system is just completely broken? |
It definitely works for me, as it doesn't let me bind on a subdomain if the TXT is missing. I'm not really sure what else could be causing this issue, unfortunately. |
I am having some trouble setting up custom domains and restricting them to specific SSH keys.
For context this is my setup:
t.hrsn.net
- this is the domain used in the SSH command to connect to sish and is the default hostname when not using a custom domain (e.g.tunnel123.t.hrsn.net
).t.wdh.gg
- this is the domain I'm trying to restrict to a specific SSH key. A CNAME record is configured fort.wdh.gg
and*.t.wdh.gg
pointing tot.hrsn.net
.In my config file I have the following:
Now, this config works and I can setup subdomains on
t.wdh.gg
liketunnel123.t.wdh.gg
however even though I have a TXT record set at_sish.t.wdh.gg
with the content:Even though that TXT record is in place, anyone regardless if they are using that SSH key are able to use
t.wdh.gg
subdomains even though it should be restricted to that specific key.I have tried the following, none of which worked:
bind-hosts
key entirely, however when attempting to use a subdomain oft.wdh.gg
liketunnel123.t.wdh.gg
it would instead bind totunnel123.t.wdh.gg.t.hrsn.net
.SHA256:
bit from the TXT record, which did not work.t.wdh.gg
(attempted with and without theSHA256:
bit):Please let me know how I can setup custom domains and restrict them using TXT records to specific SSH keys. Thanks!
The text was updated successfully, but these errors were encountered: