{"id":13994762,"url":"https://github.com/daradib/sidedoor","last_synced_at":"2025-05-08T07:55:24.495Z","repository":{"id":69193134,"uuid":"48869866","full_name":"daradib/sidedoor","owner":"daradib","description":"SSH connection daemon for Debian/Raspbian/Ubuntu/etc","archived":false,"fork":false,"pushed_at":"2023-08-11T19:10:11.000Z","size":78,"stargazers_count":124,"open_issues_count":5,"forks_count":20,"subscribers_count":6,"default_branch":"debian/master","last_synced_at":"2025-05-08T07:55:18.739Z","etag":null,"topics":["autossh","backdoor","backoff","bastion-host","daemon","nat","nat-traversal","openssh","port-forwarding","proxy","reverse-proxy","ssh","ssh-client","ssh-connection","ssh-keepalives","ssh-tunnel","tunnel"],"latest_commit_sha":null,"homepage":"https://packages.debian.org/sid/sidedoor","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/daradib.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2016-01-01T04:57:03.000Z","updated_at":"2025-04-30T13:52:40.000Z","dependencies_parsed_at":"2024-01-18T05:15:28.785Z","dependency_job_id":"af4147ce-f0a1-44ce-8a17-61fb0d0a9a5c","html_url":"https://github.com/daradib/sidedoor","commit_stats":null,"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daradib%2Fsidedoor","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daradib%2Fsidedoor/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daradib%2Fsidedoor/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daradib%2Fsidedoor/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/daradib","download_url":"https://codeload.github.com/daradib/sidedoor/tar.gz/refs/heads/debian/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253025337,"owners_count":21842409,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["autossh","backdoor","backoff","bastion-host","daemon","nat","nat-traversal","openssh","port-forwarding","proxy","reverse-proxy","ssh","ssh-client","ssh-connection","ssh-keepalives","ssh-tunnel","tunnel"],"created_at":"2024-08-09T14:03:05.613Z","updated_at":"2025-05-08T07:55:24.469Z","avatar_url":"https://github.com/daradib.png","language":"Shell","funding_links":[],"categories":["Shell"],"sub_categories":[],"readme":"# sidedoor\n\nsidedoor maintains an SSH connection or tunnel\nwith a shell script daemon.\n\n![sidedoor tunneling](https://quietapple.org/dl/sidedoor.svg)\n\nThe primary use case is maintaining a remote port forward\nto the local SSH server (or another port). Thus, the local\ndevice can be accessed without using incoming connections\nthat may be blocked by a NAT or firewall or otherwise\nimpractical with mobile devices.\n\nSSH clients can connect to the device via the reverse SSH proxy\nthat sidedoor tunnels to. This proxy server can be untrusted\nand run by a third party or cloud service.\n\nsidedoor enables SSH keepalives and retries SSH with\nexponential backoff. In order to reconnect as soon as possible,\nit resets the backoff when a network interface is brought up\n(or changed).\n\nOther use cases:\n\n * Access a web application behind a NAT by remote forwarding the\n   local web server (e.g., port 80).\n   A remote server can host a reverse proxy to the web application\n   and handle SSL/TLS termination.\n * Stay connected to office network services behind an\n   SSH [bastion host](https://en.wikipedia.org/wiki/Bastion_host)\n   by local forwarding them.\n * [Melt Evil Corp's tape backups][mrrobot]\n   by remotely controlling a Raspberry Pi (not recommended!).\n\n**Are you using sidedoor?**\nBugs reports, feature requests - please open an issue!\nPull requests are welcome.\n\n## Installation\n\nsidedoor is packaged for Debian and Debian-based systems like\nRaspbian, Ubuntu, and VyOS/[EdgeOS][edgeos],\nbut should work in any POSIX environment with an (OpenSSH) SSH client.\n\nIf sidedoor is in your distribution repositories (Debian 9+, Ubuntu 17.04+),\nsimply install it with your package manager.\n\n    sudo apt install sidedoor\n\nOtherwise, you can manually download debs from the\n[Releases page](https://github.com/daradib/sidedoor/releases).\n\nTo grant the sidedoor user full root access,\ninstall the `sidedoor-sudo` package.\n\n## Configuration\n\nThe remote server and port forwards are configured in `/etc/default/sidedoor`.\nSSH configuration files are located in the `/etc/sidedoor` directory.\n\n 1. Configure `REMOTE_SERVER` and `OPTIONS` in `/etc/default/sidedoor`.\n    For some arguments to pass in `OPTIONS`, see the blog post\n    [Local and Remote Port Forwarding Explained With Examples][portforwarding]\n    and the [`ssh` man page](https://linux.die.net/man/1/ssh).\n 2. Edit SSH configuration files under `/etc/sidedoor`.\n    - **`id_rsa`**: SSH private key to access the remote server.\n      Can use `ssh-keygen` to create this key\n      (press y when prompted to overwrite the existing file):\n\n          sudo ssh-keygen -t rsa -N '' -f /etc/sidedoor/id_rsa\n\n      The corresponding public key `id_rsa.pub` will need to be included in\n      the remote user's `~/.ssh/authorized_keys` file.\n    - **`known_hosts`**: SSH host key of the remote server.\n 3. Optionally, grant remote access to the local sidedoor user by adding\n    SSH public key(s) to the file `/etc/sidedoor/authorized_keys`.\n    `/etc/sidedoor/authorized_keys` is a symlink to\n    `~sidedoor/.ssh/authorized_keys`.\n    The `sidedoor-sudo` package, if installed, provides full root access\n    to this user.\n\n 4. Restart the sidedoor service to apply changes.\n\n        sudo service sidedoor restart\n\n## Recommendations\n\n * Lock down the local SSH server by editing `/etc/ssh/sshd_config`.\n   - Disable password authentication\n     (`ChallengeResponseAuthentication no` and `PasswordAuthentication no`).\n   - Limit daemon to only listen on localhost\n     (`ListenAddress ::1` and `ListenAddress 127.0.0.1`).\n   - To apply changes, restart or reload `sshd`, e.g.,\n     `sudo service ssh reload`.\n * Modify the `ssh_client_config_example` file and include it in a client's\n   `~/.ssh/config` file to easily access the tunneled SSH server\n   with `ssh`, `scp`, `rsync`, etc.\n\n## Alternatives\n\nsidedoor is intended as a lightweight solution to tunneling ports\nwith minimal dependencies, but there are some alternatives with more\nfeatures.\n\n### Tor hidden service\n\nTor provides anonymity to servers run as [hidden services][hidden-service],\nbut also handles NAT traversal.\n\nAdvantages:\n\n * Metadata, including the IP address of the local device\n   and its connection state (on/off), is less exposed to an intermediary\n   like the reverse SSH proxy.\n\nDisadvantages:\n\n * Tor must be installed and running on both the local device and clients.\n * Tor has higher latency so terminal feedback (input echo) is slow.\n\nOn both the device and clients, install Tor.\n\n    sudo apt install tor\n\nOn the device that is being exposed, edit [`/etc/tor/torrc`][torrc]\nto create a hidden service on port 22.\n\n    HiddenServiceDir /var/lib/tor/sshd/\n    HiddenServicePort 22 127.0.0.1:22\n    HiddenServiceAuthorizeClient stealth client\n\nReplace \"client\" with a comma-separated list of client names to\ngenerate multiple authorization secrets.\n\nThen reload Tor and get the onion hostname and authorization data.\n\n    sudo service tor reload\n    sudo cat /var/lib/tor/sshd/hostname\n\nOn clients, edit [`/etc/tor/torrc`][torrc]\nto add the onion hostname and authorization data seen in the `hostname` file.\n\n    HidServAuth \u003chostname\u003e.onion \u003csecret\u003e\n\nThen reload Tor and run `torsocks ssh \u003chostname\u003e.onion` or set `ProxyCommand`\nin the `~/.ssh/config` file.\n\n    ProxyCommand torsocks nc \u003chostname\u003e.onion 22\n\n### autossh\n\n[autossh](http://www.harding.motd.ca/autossh/), like sidedoor,\nstarts `ssh` and restarts it as needed.\n\nSome differences include:\n\n * sidedoor is a minimalistic shell script daemon.\n   autossh is a more extensive and configurable C program.\n\n * sidedoor enables SSH keepalives\n   (`ServerAliveInterval` and `ServerAliveCountMax`),\n   which are available in modern versions of OpenSSH.\n   autossh monitors `ssh` by sending data through\n   a loop of port forwards (this feature predates SSH keepalives),\n   though this can be disabled with the `-M 0` option.\n\n * sidedoor is intended to run automatically as a service,\n   so the package includes init/systemd scripts and config files.\n   autossh does not include an init/systemd script\n   (Debian bug [#698390](https://bugs.debian.org/698390)).\n\n * sidedoor disables remote commands and pseudo-tty allocation.\n   For interactive use, consider autossh with SSH keepalives\n   or [Mosh](https://mosh.org/).\n\n * sidedoor always retries if `ssh` exits with a non-zero exit status.\n   autossh does not retry if `ssh` exits too quickly on the first attempt,\n   which can happen when network connectivity or DNS resolution\n   is broken, particularly on mobile devices.\n   Both sidedoor and autossh have retry backoff logic.\n\n * sidedoor resets retry backoff when a network interface is brought up,\n   to attempt to reconnect as soon as possible, by receiving SIGUSR1\n   from an `if-up.d` script. autossh does not have network state hooks.\n\n### Other alternatives\n\n * [OpenVPN](https://en.wikipedia.org/wiki/OpenVPN)\n * [PageKite](https://github.com/pagekite/PyPagekite/)\n * [ssh_tunnel](http://sshtunnel.sourceforge.net/)\n\n## License\n\nCopyright 2015-2017 Dara Adib.\n\nThis program is free software: you can redistribute it and/or modify\nit under the terms of the GNU General Public License as published by\nthe Free Software Foundation, either version 3 of the License, or\n(at your option) any later version.\n\nThis program is distributed in the hope that it will be useful,\nbut WITHOUT ANY WARRANTY; without even the implied warranty of\nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\nGNU General Public License for more details.\n\nYou should have received a copy of the GNU General Public License\nalong with this program.  If not, see \u003chttps://www.gnu.org/licenses/\u003e.\n\n[mrrobot]: https://www.forbes.com/sites/abigailtracy/2015/07/15/hacking-the-hacks-mr-robot-episode-four-sam-esmail/\n[edgeos]: https://help.ubnt.com/hc/en-us/articles/205202560-EdgeMAX-Add-other-Debian-packages-to-EdgeOS\n[portforwarding]: https://blog.trackets.com/2014/05/17/ssh-tunnel-local-and-remote-port-forwarding-explained-with-examples.html\n[hidden-service]: https://www.torproject.org/docs/tor-hidden-service.html.en\n[torrc]: https://www.torproject.org/docs/tor-manual.html.en\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdaradib%2Fsidedoor","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdaradib%2Fsidedoor","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdaradib%2Fsidedoor/lists"}