put ssh detection on full auto

2018-06-01 02:45:38 -06:00 · 2018-06-01 02:45:38 -06:00 · af9a7c5812
parent 4368569b25
commit af9a7c5812
2 changed files with 39 additions and 17 deletions
--- a/examples/telebit.yml.tpl
+++ b/examples/telebit.yml.tpl
@ -1,6 +1,7 @@
 agree_tos: true                 # agree to the Telebit, Greenlock, and Let's Encrypt TOSes
 community_member: true          # receive infrequent relevant updates
 telemetry: true                 # contribute to project telemetric data
+ssh_auto: 22                    # forward ssh-looking packets, from any connection, to port 22
 remote_options:
  https_redirect: true          # redirect http to https remotely (default)
 local_ports:                    # ports to forward
--- a/lib/sorting-hat.js
+++ b/lib/sorting-hat.js
@ -56,6 +56,16 @@ module.exports.assign = function (state, tun, cb) {
  console.log('first message from', tun);
  var net = state.net || require('net');

+  function trySsh(tun, cb) {
+    // https://security.stackexchange.com/questions/43231/plausibly-deniable-ssh-does-it-make-sense?rq=1
+    // https://tools.ietf.org/html/rfc4253#section-4.2
+    if (false === state.config.ssh_auto || 'SSH-2.0-' !== tun.data.slice(0, 8).toString()) {
+      cb(null, false);
+      return;
+    }
+    cb(null, getNetConn(state.config.sshPort || 22));
+  }
+
  var handlers = {};
  handlers.http = function (socket) {
    if (!state.greenlock) {
@ -201,11 +211,30 @@ module.exports.assign = function (state, tun, cb) {
          //console.log('[hit tls server]', tlsSocket.remoteFamily, tlsSocket.remoteAddress, tlsSocket.remotePort, tlsSocket.localPort);
          //console.log(addr);
          var conf = state.config.servernames[tlsSocket.servername];
-          if (!conf || !conf.handler) {
-            handlers.https(tlsSocket);
-            return;
-          }
-          invokeHandler(conf, tlsSocket, tun, id);
+          tlsSocket.once('data', function (firstChunk) {
+            tlsSocket.pause();
+            //tlsSocket.unshift(firstChunk);
+            tlsSocket._handle.onread(firstChunk.length, firstChunk);
+
+            trySsh({ data: firstChunk }, function (err, conn) {
+              process.nextTick(function () { tlsSocket.resume(); });
+
+              if (conn) {
+                conn.pipe(tlsSocket);
+                tlsSocket.pipe(conn);
+                return;
+              }
+
+              if (!conf || !conf.handler) {
+                console.log('https default handler');
+                handlers.https(tlsSocket);
+                return;
+              }
+
+              console.log('https invokeHandler');
+              invokeHandler(conf, tlsSocket, tun, id);
+            });
+          });
        });
      }

@ -284,19 +313,11 @@ module.exports.assign = function (state, tun, cb) {
    return;
  }

-  function trySsh(tun) {
-    // https://security.stackexchange.com/questions/43231/plausibly-deniable-ssh-does-it-make-sense?rq=1
-    // https://tools.ietf.org/html/rfc4253#section-4.2
-    if ('SSH-2.0-' !== tun.data.slice(0, 8).toString()) {
-      return false;
-    }
-    cb(null, getNetConn(state.config.sshPort || 22));
-    return true;
-  }
-
  if ('tcp' === tun.service) {
-    if (trySsh(tun)) { return; }
-    cb(new Error("No TCP handler"));
+    trySsh(tun, function (err, conn) {
+      if (conn) { cb(null, conn); return; }
+      cb(new Error("No TCP handler"));
+    });
  }

  console.warn("Unknown service '" + tun.service + "'");