If iodine is too expensive, you can use mosh and authbind as an alternative to get your SSH/mosh tunnels through hostile networks.
This requires three ingredients:
authbind
with the requisite configuration- A shell script to wrap the authbind call
- ALL the parameters for mosh
Why authbind and not setcap? Because authbind wouldn't need to exist if Debian managed to implement capabilities properly. setcap
sets capabilities on binaries, making it essentially nothing but a slightly more fine-grained chmod +s
, i.e. setuid
. This is bad for all the reasons setuid
is bad. Therefore I refuse to use it. There are other ways to give a user or a session additional capabilities, e.g. just by setting it up so their user session is launched with additional capabilities that they can then inherit to processes they launch from their session. Debian has broken that but at least has the grace to give us authbind.
First, give $USER
the permission to bind to port 53 through authbind:
- Install authbind
touch /etc/authbind/byport/53
chmod u+x /etc/authbind/byport/53
(or make that g+x if you want to set it for a group)chown $USER /etc/authbind/byport/53
(or chown that to a group, or use facls if you want to get fancy)
Then, create the wrapper script somewhere:
cat >/home/$USER/bin/authmosh.sh
(Put the code there)chmod +x /home/$USER/bin/authmosh.sh
(Why is this wrapper script necessary? because mosh is a poop and won't let you do --server="authbind mosh-server"
.)
Finally, call it:
mosh -p 53 --ssh="ssh -p 53" --server="/home/$USER/bin/authmosh.sh" $SHELL_HOST
So now mosh will user server port 53 for mosh (-p 53
), establish the mosh session through port 53 (the --ssh
parameter), and use the wrapper script (the --server
parameter).
This requires to have outgoing TCP Port 53 allowed which you may or may not have in your hostile network so maybe establish the mosh session in a non-hostile network. Outgoing UDP Port 53 is much more likely to be allowed though.
iodine is free btw so wtf u doing?