costan-rtunnel 0.4.0

data/CHANGELOG

@@ -0,0 +1,13 @@
+v0.4.0. Re-packaged as gem using echoe. Eventmachine. Client authentication.
+
+v0.3.9. Cleanup and removed dependencies.
+
+v0.3.6. New protocol. Available as gem for easier installation.
+
+v0.2.1. Minor bugfix, cmdline options change.
+
+v0.2.0. Much simpler
+
+v0.1.2. Created rtunnel_server binary for linux so you don't need Ruby installed on the host you want to reverse tunnel from.
+
+v0.1.1. Added default control port of 19050, no longer have to specify this on client or server unless you care to change it.

data/LICENSE

@@ -0,0 +1,21 @@
+The MIT License
+
+Copyright (c) 2008 coderrr, Victor Costan
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/Manifest

@@ -0,0 +1,49 @@
+CHANGELOG
+LICENSE
+Manifest
+README.markdown
+Rakefile
+bin/rtunnel_client
+bin/rtunnel_server
+lib/rtunnel.rb
+lib/rtunnel/client.rb
+lib/rtunnel/command_protocol.rb
+lib/rtunnel/commands.rb
+lib/rtunnel/core.rb
+lib/rtunnel/crypto.rb
+lib/rtunnel/frame_protocol.rb
+lib/rtunnel/io_extensions.rb
+lib/rtunnel/leak.rb
+lib/rtunnel/rtunnel_client_cmd.rb
+lib/rtunnel/rtunnel_server_cmd.rb
+lib/rtunnel/server.rb
+lib/rtunnel/socket_factory.rb
+lib/rtunnel/connection_id.rb
+lib/rtunnel/command_processor.rb
+rtunnel.gemspec
+spec/client_spec.rb
+spec/cmds_spec.rb
+spec/integration_spec.rb
+spec/server_spec.rb
+spec/spec_helper.rb
+test/command_stubs.rb
+test/protocol_mocks.rb
+test/scenario_connection.rb
+test/test_client.rb
+test/test_command_protocol.rb
+test/test_commands.rb
+test/test_crypto.rb
+test/test_frame_protocol.rb
+test/test_io_extensions.rb
+test/test_server.rb
+test/test_socket_factory.rb
+test/test_tunnel.rb
+test/test_connection_id.rb
+test_data/known_hosts
+test_data/ssh_host_rsa_key
+test_data/random_rsa_key
+test_data/ssh_host_dsa_key
+test_data/authorized_keys2
+tests/_ab_test.rb
+tests/_stress_test.rb
+tests/lo_http_server.rb

data/README.markdown

@@ -0,0 +1,84 @@
+INSTALL
+-
+
+on server and local machine:
+
+`sudo gem sources -a http://gems.github.com`
+
+`sudo gem install coderrr-rtunnel`
+
+If you don't have root access you can run the above commands without `sudo` and rubygems will install the gem into your `~/.gem` directory.  If you go this route, make sure you add the gems executable dir to your path.
+
+`export PATH=$PATH:~/.gem/ruby/1.8/bin`
+
+USAGE
+-
+
+on server (myserver.com):
+
+`rtunnel_server`
+
+on your local machine:
+
+`rtunnel_client -c myserver.com -f 4000 -t 3000`
+
+This would reverse tunnel myserver.com:4000 to localhost:3000 so that if you had a web server running at port 3000 on your local machine, anyone on the internet could access it by going to http://myserver.com:4000
+
+**Logging (verbosity) level**
+
+Both the server and the client support 4 levels of logging - 'debug', 'info', 'warn', 'error'. The -l parameter sets the logging level. The default level is 'error'. For example:
+
+`rtunnel_server -l debug`
+
+starts a server that will output debugging information.
+
+**Secure connections**
+
+RTunnel can be configured to use ssh keys to control access to the server. A ssh
+key (generated by ssh-genkey) is required on the client, and the server must
+have a list of authorized keys (using the format of known_hosts.) The keys are
+used to authenticate clients and guarantee data integrity. For performance
+reasons, encryption is not done.
+
+Server setup:
+
+`rtunnel_server -a ~/.ssh/known_hosts`
+
+Client setup:
+
+`rtunnel_client -c myserver.com -f 4000 -t 3000 -k /etc/ssh/ssh_host_rsa_key`
+
+If you're concerned about security, you probably want to restrict the range of
+ports that clients can open up on the rtunnel server.
+
+`rtunnel_server -p 3000 -P 3999`
+
+restricts clients to using ports 3000-3999 for reverse tunnels.
+
+
+<a name="about">RTunnel?</a>
+-
+
+This client/server allow you to reverse tunnel traffic.  Reverse tunneling is useful if you want to run a server behind a NAT and you do not have the ability to use port forwarding.  The specific reason I created this program was to reduce the pain of Facebook App development on a crappy internet connection that drops often.  ssh -R was not cutting it.
+
+**How does reverse tunneling work?**
+
+  * tunnel\_client makes connection to tunnel\_server (through NAT)
+  * tunnel_server listens on port X
+  * internet_user connects to port X on tunnel server
+  * tunnel\_server uses existing connection to tunnel internet\_user's request back to tunnel\_client
+  * tunnel_client connects to local server on port Y
+  * tunnel_client tunnels internet\_user's connection through to local server
+
+or:
+
+  * establish connection: tunnel\_client --NAT--> tunnel\_server
+  * reverse tunnel: internet\_user -> tunnel_server --(NAT)--> tunnel\_client -> server\_running\_behind\_nat
+
+**How is this different than normal tunneling?**
+
+With tunneling, usually your connections are made in the same direction you create the tunnel connection.  With reverse tunneling, you tunnel your connections the opposite direction of which you made the tunnel connection.  So you initiate the tunnel with A -> B, but connections are tunneled from B -> A.
+
+**Why not just use ssh -R?**
+
+The same thing can be achieved with ssh -R, so why not just use it?  A lot of ssh servers don't have the GatewayPorts sshd option set up to allow you to reverse tunnel.  If you are not in control of the server and it is not setup correctly then you are SOL.  RTunnel does not require you are in control of the server.  ssh -R also has other annoyances.  When your connection drops and you try to re-initiate the reverse tunnel sometimes you get an 'address already in use error' because the old tunnel process is still laying around.  This may require you to kill the existing sshd process.  RTunnel does not have this problem.

data/Rakefile

@@ -0,0 +1,45 @@
+require 'rubygems'
+require 'echoe'
+require 'rake'
+require 'spec/rake/spectask'
+
+$: << File.join(File.dirname(__FILE__), 'lib')
+require 'rtunnel'
+
+desc "Run all examples"
+Spec::Rake::SpecTask.new('spec') do |t|
+  t.spec_files = FileList['spec/**/*.rb']
+end
+
+desc "Create packages"
+task :pkg4google do
+  system %Q{cd .. && tar cvzf rtunnel/pkg/rtunnel-#{RTunnel::VERSION}.tar.gz \
+            rtunnel --exclude=.svn --exclude=pkg --exclude=rtunnel.ipr \
+            --exclude=rtunnel.iws --exclude=rtunnel.iml
+            }
+  system "rubyscript2exe rtunnel_server.rb --stop-immediately && 
+          mv rtunnel_server_linux pkg/rtunnel_server_linux-#{RTunnel::VERSION}"
+end
+
+desc "Print command codes"
+task :codes do
+  print RTunnel::Command.printable_codes
+end
+
+Echoe.new('rtunnel') do |p|
+  p.rubyforge_name = 'coderrr'
+  p.author = 'coderrr'
+  p.email = 'coderrr.contact@gmail.com'
+  p.summary = 'Reverse tunnel server and client.'  
+  p.description = ''
+  p.url = 'http://github.com/coderrr/rtunnel'
+  # p.remote_rdoc_dir = '' # Release to root
+  p.dependencies = ["eventmachine >=0.12.2",
+                    "net-ssh >=2.0.4"]
+  p.development_dependencies = ["echoe >=3.0.1",
+                                "rspec >=1.1.11",
+                                "simple-daemon >=0.1.2",
+                                "thin >=1.0.0"]
+  p.need_tar_gz = false
+  p.need_zip = false
+end

data/bin/rtunnel_client

@@ -0,0 +1,4 @@
+#!/usr/bin/ruby
+
+require 'rtunnel'
+RTunnel.run_client

data/bin/rtunnel_server

@@ -0,0 +1,4 @@
+#!/usr/bin/ruby
+
+require 'rtunnel'
+RTunnel.run_server

data/lib/rtunnel.rb

@@ -0,0 +1,20 @@
+module RTunnel  
+end
+
+require 'rtunnel/core.rb'
+require 'rtunnel/io_extensions.rb'
+require 'rtunnel/socket_factory.rb'
+require 'rtunnel/frame_protocol.rb'
+
+require 'rtunnel/commands.rb'
+require 'rtunnel/command_processor.rb'
+require 'rtunnel/command_protocol.rb'
+require 'rtunnel/connection_id.rb'
+require 'rtunnel/crypto.rb'
+
+require 'rtunnel/client.rb'
+require 'rtunnel/leak.rb'
+require 'rtunnel/server.rb'
+
+require 'rtunnel/rtunnel_client_cmd.rb'
+require 'rtunnel/rtunnel_server_cmd.rb'

data/lib/rtunnel/client.rb

@@ -0,0 +1,308 @@
+require 'resolv'
+require 'timeout'
+
+require 'rubygems'
+require 'eventmachine'
+
+class RTunnel::Client
+  include RTunnel
+  include RTunnel::Logging
+
+  attr_reader :control_address, :control_host, :control_port
+  attr_reader :remote_listen_address, :tunnel_to_address
+  attr_reader :tunnel_timeout, :private_key
+  attr_reader :logger
+  attr_reader :connections, :server_connection
+  
+  def initialize(options = {})
+    process_options options
+    @connections = {}
+    @server_connection = nil
+  end
+
+  def start
+    return if @server_connection
+    @control_host = SocketFactory.host_from_address @control_address
+    @control_port = SocketFactory.port_from_address @control_address
+    connect_to_server
+  end
+    
+  def connect_to_server
+    D "Connecting to #{@control_host} port #{@control_port}"
+    @server_connection = EventMachine.connect @control_host, @control_port,
+                                               Client::ServerConnection, self
+  end
+  
+  def stop
+    @connections.each { |connection| connection.close_connection_after_writing }
+    
+    return unless @server_connection
+    @server_connection.close_connection_after_writing
+    @server_connection.disable_tunnel_timeouts
+    @server_connection = nil
+  end
+  
+  ## option processing
+  
+  def process_options(options)
+    [:control_address, :remote_listen_address, :tunnel_to_address,
+     :tunnel_timeout, :private_key].each do |opt|
+      instance_variable_set "@#{opt}".to_sym,
+          RTunnel::Client.send("extract_#{opt}".to_sym, options[opt])
+    end
+    
+    init_log :level => options[:log_level]    
+  end  
+  
+  def self.extract_control_address(address)
+    unless SocketFactory.port_from_address address
+      address = "#{address}:#{RTunnel::DEFAULT_CONTROL_PORT}"
+    end
+    RTunnel.resolve_address address
+  end
+  
+  def self.extract_remote_listen_address(address)
+    unless SocketFactory.port_from_address address
+      address = "0.0.0.0:#{address}"
+    end
+    RTunnel.resolve_address address
+  end
+  
+  def self.extract_tunnel_to_address(address)
+    address = "localhost:#{address}" if address =~ /^\d+$/    
+    RTunnel.resolve_address address
+  end
+  
+  def self.extract_tunnel_timeout(timeout)
+    timeout || RTunnel::TUNNEL_TIMEOUT
+  end
+  
+  def self.extract_private_key(key_file)
+    key_file and Crypto.read_private_key key_file
+  end
+end
+
+# Connection to the server's control port.
+class RTunnel::Client::ServerConnection < EventMachine::Connection
+  # Note: I would've loved to make this a module, but event_machine's
+  # connection init order (initialize, connect block, post_init) does not
+  # work as advertised (the connect block seems to execute after post_init).
+  # So I'm taking the safe route and having my own initialize.
+  
+  include RTunnel
+  include RTunnel::Logging
+  include RTunnel::CommandProcessor
+  include RTunnel::CommandProtocol
+  
+  attr_reader :client
+
+  def initialize(client)
+    super()
+    
+    @client = client
+    @tunnel_to_address = client.tunnel_to_address
+    @tunnel_to_host = SocketFactory.host_from_address @tunnel_to_address
+    @tunnel_to_port = SocketFactory.port_from_address @tunnel_to_address
+    @timeout_timer = nil
+    @hasher = nil
+    @connections = @client.connections
+    init_log :to => @client
+  end
+
+  def post_init
+    if @client.private_key
+      request_session_key
+    else
+      request_listen
+    end
+  end
+  
+  # Asks the server to open a listen socket for this client's tunnel.
+  def request_listen
+    send_command RemoteListenCommand.new(@client.remote_listen_address)
+    enable_tunnel_timeouts    
+  end
+
+  # Asks the server to establish a session key with this client.
+  def request_session_key
+    D 'Private key provided, asking server for session key'
+    key_fp = Crypto.key_fingerprint @client.private_key
+    send_command GenerateSessionKeyCommand.new(key_fp)    
+  end
+  
+  def unbind
+    # wait for a second, then try connecting again
+    W 'Lost server connection, will reconnect in 1s'
+    EventMachine.add_timer(1.0) { client.connect_to_server }
+    @connections.each { |conn_id, conn| conn.close_connection_after_writing }
+    @connections.clear
+  end
+  
+  
+  ## Command processing
+  
+  # CreateConnectionCommand handler
+  def process_create_connection(connection_id)
+    if @connections[connection_id]
+      E "asked to create already open connection #{connection_id}"
+      return
+    end
+    
+    D "Tunnel #{connection_id} to #{@tunnel_to_host} port #{@tunnel_to_port}"
+    connection = EventMachine.connect(@tunnel_to_host, @tunnel_to_port,
+        Client::TunnelConnection, connection_id, @client)
+    @connections[connection_id] = connection
+  end
+  
+  # CloseConnectionCommand handler
+  def process_close_connection(connection_id)
+    if connection = @connections[connection_id]
+      I "Closing connection #{connection_id}"
+      connection.close_connection_after_writing
+      @connections.delete connection_id
+    else
+      W "Asked to close inexistent connection #{connection_id}"
+    end
+  end
+  # Called when a tunnel connection is closed.
+  def data_connection_closed(connection_id)
+    return unless @connections.delete(connection_id)
+    D "Connection #{connection_id} closed by this end"
+    send_command CloseConnectionCommand.new(connection_id)
+  end
+  
+  # SendData handler
+  def process_send_data(connection_id, data)
+    if connection = @connections[connection_id]
+      D "Data: #{data.length} bytes for #{connection_id}"
+      connection.tunnel_data data
+    else
+      W "Received data for non-existent connection #{connection_id}!"
+    end
+  end
+
+  # SetSessionKey handler
+  def process_set_session_key(encrypted_keys)
+    case encrypted_keys
+    when ''
+      W "Sent key to open tunnel server"
+      request_listen
+    when 'NO'
+      if @client.private_key
+        E "Server refused provided key"
+      else
+        E "Server requires authentication and no private key was provided"
+      end
+      close_connection_after_writing
+    else
+      D "Received server session keys, installing hashers"
+      iokeys = StringIO.new Crypto.decrypt_with_key(client.private_key,
+                                                    encrypted_keys)
+      @out_hasher = Crypto::Hasher.new iokeys.read_varstring
+      @in_hasher = Crypto::Hasher.new iokeys.read_varstring
+      self.outgoing_command_hasher = @out_hasher
+      self.incoming_command_hasher = @in_hasher
+      
+      D "Hashers installed, opening listen socket on server"
+      request_listen
+    end
+  end
+  
+  def receive_bad_frame(frame, exception)
+    case exception
+    when :bad_signature
+      D "Ignoring command with invalid signature"
+    when Exception
+      D "Ignoring malformed command."
+      D "Decoding exception: #{exception.class.name} - #{exception}\n" +
+        "#{exception.backtrace.join("\n")}\n"
+    end
+  end  
+  
+  ## Connection timeouts.
+
+  # Keep-alive received from the control connection.
+  def process_keep_alive
+  end  
+
+  #:nodoc:
+  def receive_command(command) 
+    @last_packet_time = Time.now
+    super
+  end
+    
+  # After this is called, the control connection will be closed if no command is
+  # received within a certain amount of time.
+  def enable_tunnel_timeouts
+    @last_packet_time = Time.now
+    @timeout_timer = EventMachine::PeriodicTimer.new(1.0) do
+      check_tunnel_timeout
+    end
+  end
+  
+  # Closes the connection if no command has been received for some time.
+  def check_tunnel_timeout
+    if tunnel_timeout?
+      W 'Tunnel timeout. Disconnecting from server.'
+      disable_tunnel_timeouts
+      close_connection_after_writing
+    end
+  end
+  
+  # Disables timeout checking (so the tunnel will not be torn down if no command
+  # is received for some period of time).
+  def disable_tunnel_timeouts
+    return unless @timeout_timer
+    @timeout_timer.cancel
+    @timeout_timer = nil
+  end
+
+  # If true, a tunnel timeout has occured.
+  def tunnel_timeout?
+    Time.now - @last_packet_time > client.tunnel_timeout
+  end  
+end
+
+# A connection to the tunnelled port.
+class RTunnel::Client::TunnelConnection < EventMachine::Connection
+  include RTunnel
+  include RTunnel::Logging
+  
+  def initialize(connection_id, client)
+    super()
+
+    @connection_id = connection_id
+    @backlog = ''
+    @client = client
+    init_log :to => @client
+  end
+  
+  def server_connection
+    @client.server_connection
+  end
+  
+  def tunnel_data(data)
+    # if the connection hasn't been accepted, store the incoming data until
+    # sending can happen
+    if @backlog
+      @backlog << data
+    else
+      send_data data
+    end
+  end
+  
+  def post_init
+    D "Tunnel #{@connection_id} established"
+    send_data @backlog unless @backlog.empty?
+    @backlog = nil
+  end
+  
+  def receive_data(data)
+    D "Data: #{data.length} bytes from #{@connection_id}"
+    server_connection.send_command SendDataCommand.new(@connection_id, data)
+  end
+  
+  def unbind
+    server_connection.data_connection_closed @connection_id
+  end
+end