SSH¶
SSH is a data channel type in GOST.
SSH has two modes: tunnel mode and forwarding mode.
Tunnel Mode¶
Server
Client
Forwarding Mode¶
The port forwarding function of the standard SSH protocol is used and only TCP is supported.
Server
Client
Use the system's native SSH service
In forwarding mode, the server can directly use the system's standard SSH service, such as the OpenSSH (sshd) service in Linux .
Authentication¶
SSH tunnel supports two authentication methods: username-password authentication and PubKey authentication.
Username-Password Authentication¶
The Scope of Authentication information
In command line mode, the authentication information (user:pass) sets the authentication of the SSH tunnel (Listener and Dialer), not the Handler and Connector. This behavior is only valid when using ssh or sshd tunnels.
Server
Client
PubKey Authentication¶
Server
The server sets the authorized client public key list through authorizedKeys option.
Client
The client sets the certificate private key and private key passphrase through the privateKeyFile and passphrase options.
The privateKeyFile path supports ~ prefix for home directory expansion (e.g., ~/.ssh/id_rsa).
Instead of specifying the passphrase in plaintext, you can enable the passphraseFromKeyring option to read the passphrase from the system keyring, where GOST retrieves the secret via SSH <privateKeyFile>. When enabled, the passphrase parameter is ignored.
Additionally, the SSHD dialer supports automatic SSH Agent authentication via the SSH_AUTH_SOCK environment variable, eliminating the need to specify private key file paths in configuration.
services:
- name: service-0
addr: :8080
handler:
type: auto
chain: chain-0
listener:
type: tcp
chains:
- name: chain-0
hops:
- name: hop-0
nodes:
- name: node-0
addr: :2222
connector:
type: relay
dialer:
type: ssh
metadata:
privateKeyFile: /path/to/privateKeyFile
passphrase: "123456"
# passphraseFromKeyring: true # read passphrase from system keyring
Keep-Alive¶
The client can enable keep-alive through keepalive option and set the interval for sending heartbeat packets through ttl option (default value is 30s).
You can also set the heartbeat timeout duration (default value is 15s) through keepalive.timeout option and the number of heartbeat retries (default value is 1) through keepalive.retries option.
Proxy¶
SSH tunnel can be used in combination with various proxy protocols.
HTTP Over SSH¶
SOCKS5 Over SSH¶
Relay Over SSH¶
Port Forwarding¶
SSH tunnel can also be used as port forwarding.
Server
is equivalent to
By using port forwarding of the SSH tunnel, a SSH data channel is added to the SOCKS5 proxy service on port 1080.
At this time, port 2222 is equivalent to: