SSH
You may use SSH protocol as a proxy policy, an equivalent to ssh -D.
Profile syntax:
- Password authentication
[Proxy]
proxy = ssh, 1.2.3.4, 22, root, password=pw
- Public key authentication
[Proxy]
proxy = ssh, 1.2.3.4, 22, root, private-key=base64(privateKeyFileContent)
- Please notice you must use base64 to encode the entire private key file again, even though the private key file uses the base64 encoding itself. You may use
OpenSSLto create base64 encode string:
// OpenSSL 1.x
openssl enc -base64 -in /path/to/privatefile
// OpenSSL 3+
openssl base64 -in /path/to/privatefile
All four types of private keys, RSA/ECDSA/ED25519/DSA, are supported.
Chute support KEX method & SSH cipher list below:
| KEX method |
|---|
| diffie-hellman-group1-sha1 |
| diffie-hellman-group14-sha1 |
| ecdh-sha2-nistp256 |
| ecdh-sha2-nistp384 |
| ecdh-sha2-nistp521 |
| [email protected] |
| curve25519-sha256 |
| diffie-hellman-group16-sha512 |
| diffie-hellman-group18-sha512 |
| diffie-hellman-group14-sha256 |
| Cipher |
|---|
| 3des_cbc |
| aes128_cbs |
| aes192_cbc |
| aes256_cbc |
| aes128_ctr |
| aes196_ctr |
| aes256_ctr |
| aead_aes128_gcm |
| aead_aes256_gcm |
| aead_chacha20_poly1305 |
- You may specify the idle timeout parameter now. The default value is
180s.
[Proxy]
proxy = ssh, 1.2.3.4, 22, root, password=pw, idle-timeout=180
Server Fingerprint
To cope with MITM attacks, you can specify the server's public key fingerprint with server-fingerprint, which ensures that only legitimate servers are connected.
[Proxy]
proxy = ssh, 1.2.3.4, 22, root, password=pw, idle-timeout=180, server-fingerprint = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5ABCAIO9KYmO+KZQH3VXU5C1aO2xl4G8+7NLkOYDNBxfZUqep"
As there may be multiple public keys for a server, the server-fingerprint parameter supports configuring multiple fingerprints.
server-fingerprint = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5ABCAIO9KYmO+KZQH3VXU5C1aO2xl4G8+7NLkOYDNBxfZUqep,ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCrklKEp4vuMqqNiS2lvDL7g3rQ2dAwvik+KIC4iVJNoaHhkLRAEv1y/dQYixf71ORZUI+w3AFKp1RzfiuwciTsMnp7Hq9uvcHqDRDaCrYe1EDx3Dr0XlH1wsdUcr+6DOAUzRSXK9LSEPVK1xHb6WJBaTkNOHruPCmrINA/DEIiflMN2q77AWlsMt+unhmY2YWgJprY+vpDOcXk8+CnL4K+QWNlHB8mTfB58p1oadz1xWG9so//rUMp7JHtUt6QpVJvwf/Qh7IcFNDhSHwSTJu2Px2P9biuUOPkmPtZmTIdnDx25EUWtmE/+VE3lZAYuur7KuGsG0o+X8dYnEMAN3ar"
You may obtain the server fingerprint from ~/.ssh/known_hosts file. Or you may use the command ssh-keyscan example.com in a trusted network environment to fetch. Please remove the hostname in the front of the line before copying it to Chute.