Skip to content

Instantly share code, notes, and snippets.

Last active May 26, 2019
What would you like to do?
Can't afford iodine? Use mosh and authbind to bust through hostile networks

Iodine on the cheap

If iodine is too expensive, you can use mosh and authbind as an alternative to get your SSH/mosh tunnels through hostile networks.

This requires three ingredients:

  • authbind with the requisite configuration
  • A shell script to wrap the authbind call
  • ALL the parameters for mosh

Why authbind and not setcap? Because authbind wouldn't need to exist if Debian managed to implement capabilities properly. setcap sets capabilities on binaries, making it essentially nothing but a slightly more fine-grained chmod +s, i.e. setuid. This is bad for all the reasons setuid is bad. Therefore I refuse to use it. There are other ways to give a user or a session additional capabilities, e.g. just by setting it up so their user session is launched with additional capabilities that they can then inherit to processes they launch from their session. Debian has broken that but at least has the grace to give us authbind.

OK I get it you have opinions now do the thing

First, give $USER the permission to bind to port 53 through authbind:

  1. Install authbind
  2. touch /etc/authbind/byport/53
  3. chmod u+x /etc/authbind/byport/53 (or make that g+x if you want to set it for a group)
  4. chown $USER /etc/authbind/byport/53 (or chown that to a group, or use facls if you want to get fancy)

Then, create the wrapper script somewhere:

  1. cat >/home/$USER/bin/ (Put the code there)
  2. chmod +x /home/$USER/bin/

(Why is this wrapper script necessary? because mosh is a poop and won't let you do --server="authbind mosh-server".)

Finally, call it:

mosh -p 53 --ssh="ssh -p 53" --server="/home/$USER/bin/" $SHELL_HOST

So now mosh will user server port 53 for mosh (-p 53), establish the mosh session through port 53 (the --ssh parameter), and use the wrapper script (the --server parameter).

This requires to have outgoing TCP Port 53 allowed which you may or may not have in your hostile network so maybe establish the mosh session in a non-hostile network. Outgoing UDP Port 53 is much more likely to be allowed though.

iodine is free btw so wtf u doing?

>&2 echo $@
authbind --deep mosh-server $@
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment