{"id":15728912,"url":"https://github.com/flaviostutz/ssh-jwt","last_synced_at":"2025-04-23T22:05:54.359Z","repository":{"id":84180881,"uuid":"249046731","full_name":"flaviostutz/ssh-jwt","owner":"flaviostutz","description":"A SSH server that authorizes PTY, remote or local port forwarding based on JWT token entered as password","archived":false,"fork":false,"pushed_at":"2020-07-16T19:33:34.000Z","size":37,"stargazers_count":4,"open_issues_count":0,"forks_count":2,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-04-23T22:05:48.141Z","etag":null,"topics":["authorization","jwt-key","jwt-token","pty","ssh-jwt","ssh-server","ssh-tunnel","tunneling"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/flaviostutz.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-03-21T19:32:38.000Z","updated_at":"2024-12-13T22:32:02.000Z","dependencies_parsed_at":null,"dependency_job_id":"22651b93-8e76-48cd-8dc4-2683db29125a","html_url":"https://github.com/flaviostutz/ssh-jwt","commit_stats":null,"previous_names":["flaviostutz/ssh-tunnels"],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flaviostutz%2Fssh-jwt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flaviostutz%2Fssh-jwt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flaviostutz%2Fssh-jwt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flaviostutz%2Fssh-jwt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/flaviostutz","download_url":"https://codeload.github.com/flaviostutz/ssh-jwt/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250522300,"owners_count":21444511,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authorization","jwt-key","jwt-token","pty","ssh-jwt","ssh-server","ssh-tunnel","tunneling"],"created_at":"2024-10-03T23:07:39.749Z","updated_at":"2025-04-23T22:05:53.796Z","avatar_url":"https://github.com/flaviostutz.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ssh-jwt\n\n[\u003cimg src=\"https://img.shields.io/docker/automated/flaviostutz/ssh-jwt\"/\u003e](https://hub.docker.com/r/flaviostutz/ssh-jwt)\n\nA SSH server that authorizes PTY, remote or local port forwarding based on JWT token entered as password.\n\nView ENVs and Usage for more information on how to launch this.\n\n## Usage\n\n### shared key signing\n\n* create docker-compose.yml:\n\n```yml\nversion: '3.7'\nservices:\n  ssh-tunnels:\n    image: flaviostutz/ssh-jwt\n    ports:\n      - \"2222:22\"\n    environment:\n     - LOG_LEVEL=debug\n     - JWT_KEY=123\n     - ENABLE_REMOTE_FORWARDING=true\n     - ENABLE_LOCAL_FORWARDING=true\n     - ENABLE_PTY=true\n```\n\n* run docker-compose up\n\n* Open http://jwt.io\n\n* Create a JWT key with the following contents\n\nheader\n```json\n{\n  \"alg\": \"HS512\",\n  \"typ\": \"JWT\"\n}\n```\n\npayload\n```json\n{\n  \"aid\": \"234243453453\",\n  \"mid\": \"GTE3456\",\n  \"exp\": 1587529693,\n  \"rfw\": \"0.0.0.0:4343 0.0.0.0:4242\",\n  \"lfw\": \"10.1.1.254:80 10.1.1.254:81 45.55.44.56:80\",\n  \"pty\": \"true\"\n}\n```\n\nsignature\nuse password \"123\"\n\n* Copy the encoded/signed JWT contents to clipboard\n\n* In a terminal, run\n\n```bash\nssh root@localhost -p 2222\n```\n\n* When asked for password, paste Enconded JWT contents\n\n* If all is OK, you will be connected to a shell session.\n\n* Modify JWT claim \"pty\" to \"false\" and try to connect again\n\n* If the token is invalid or it doesn't have claim \"pty\", you connection will be refused.\n\n\n\n\n### RS512 pub/priv signing key\n\n* create docker-compose.yml:\n\n```yml\nversion: '3.7'\nservices:\n  ssh-tunnels:\n    image: flaviostutz/ssh-jwt\n    ports:\n      - \"2222:22\"\n    secrets:\n      - rs-pub-key\n    environment:\n      - JWT_ALGORITHM=RS512\n      - JWT_KEY_SECRET_NAME=rs-pub-key\n      - ENABLE_LOCAL_FORWARDING=true\n      - ENABLE_REMOTE_FORWARDING=true\n      - ENABLE_PTY=true\n      - LOG_LEVEL=debug\n\nsecrets:\n  rs-pub-key:\n    file: ./test_rsa.pub\n```\n\n* Open https://8gwifi.org/jwsgen.jsp\n\n* Create a JWT key with the following contents\n\nJWS Algo: RS512\n\nPayload\n```json\n{\n  \"aid\": \"234243453453\",\n  \"mid\": \"GTE3456\",\n  \"exp\": 1587529693,\n  \"rfw\": \"0.0.0.0:4343 0.0.0.0:4242\",\n  \"lfw\": \"10.1.1.254:80 10.1.1.254:81 45.55.44.56:80\",\n  \"pty\": \"true\"\n}\n```\n\nClick on \"Generate JWS Keys\"\n\n* Create file test_rsa.pub with public key contents\n\n* Create file test_rsa.key with private key contents\n\n* Copy the contents of the JWT key from the \"Serialize\" field from the site\n\n* Run docker-compose up\n\n* On another terminal, run\n  * ```ssh root@localhost -p 2222 -L 0.0.0.0:1212:10.1.1.254:80```\n\n* On a third terminal run\n  * ```curl localhost:1212```\n\n* If any web server is running on 10.1.1.254:80 it will get its contents\n\n\n## JWT token Claims\n\n* rfw - a list of space separated \"[bindhost]:[port]\" indicating authorized remote port forward binds. ex.: \"0.0.0.0:4444\" will accept remote port forwarding to the other side\n\n* lfw - a list of space separated \"[desthost]:[port]\" indicating authorized local port forwards destinations. ex.: \"201.22.123.43:80\" will accept local port forwardings to 201.22.123.43 through the ssh tunnel\n\n* pty - permit interactive terminal sessions in shell if \"true\"\n\n\n## ENVs\n\n* JWT_ALGORITHM - JWT algorithm used for signing entered tokens. Maybe one of ES256, ES384, ES512, HS256, HS384, HS512, PS256, PS384, PS384, PS512, RS256, RS384, RS512. defaults to \"HS512\".\n* JWT_KEY - key used by the signing algorith. required\n* LOG_LEVEL - log level (error, warn, info, debug). defaults to info\n* BIND_HOST - host to bind service to. defaults to 0.0.0.0 (all host interfaces will respond)\n* BIND_PORT - ssh service port. defaults to 22\n* ENABLE_REMOTE_FORWARDING - enable remote port forwarding. if not enabled, even if authorized on JWT token, it won't work. default. to false.\n* ENABLE_LOCAL_FORWARDING - enable local port forwarding. if not enabled, event if authorized on JWT token, it won't work. defaults to false.\n* ENABLE_PTY - enable pty terminal with a shell session on connect. if not enabled, even if authorized on JWT token, it won't work. defaults to true\n* JWT_KEY_SECRET_NAME - Docker secret that will be used for loading key into ssh\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fflaviostutz%2Fssh-jwt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fflaviostutz%2Fssh-jwt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fflaviostutz%2Fssh-jwt/lists"}