This program sets up and returns a TCP connection to a given address and port; a typical use would be a connection to an SSH server to be used by an SSH client.
In the trivial case the host is directly reachable and a direct connection is made. More commonly the host cannot be directly reached and one or more proxies must be set up. TSTproxy starts SSH clients to act as the necessary proxies based on its configuration file.
Like ProxyJump or ssh -J, TSTproxy is careful not to
forward your SSH agent to the intermediate hosts. This is an important
security benefit because anybody with root access on those
intermediate hosts can send requests to your agent to use your key.
(ssh-add -c helps with this, but isn't a perfect solution.)
TSTproxy differs from ProxyJump and similar solutions in two ways:
-
The
ProxyJumpconfiguration is different depending on what host you're starting at, and so must be maintained separately on hosts on different parts of the internetwork. TSTproxy uses the same configuration on all hosts: it generates a network map and, based on your current location in that map, dynamically generates the list of intermediate hosts. -
TSTproxy sets up a single forwarding process between any host (initial or intermediate) and any destination using dynamic port forwarding (
DynamicForwardorssh -D) so that additional connections through the proxy save time by not having to set up furthersshclient sessions.
At this time the dynamic forwarding proxy listen socket is TCP address on localhost, which means that anybody on that host can initiate a TCP connection to arbitrary hosts reachable from further intermediate hosts. Ideally it would instead listen on a Unix domain socket so that only the owner who initiated the connection could use it. Solutions to this are being investigated.