Request: Connection destination specification or connection list

[fu-sen]

This is fantastic! I was looking for this!! 😄 Japanese Telnet BBS (using Shift_JIS) can be connected using sshwifty:

But sshwifty can now freely select the connection destination. This can be abused. I want to limit the connections or show the list. (For example, I want to display Japanese Telnet BBS list) Or want to restrict to one connection destination. Can you add it to sshwifty?

[nirui]

Hi, glad you like the software.

Sshwifty is designed to be a SSH/Telnet client, not a gateway, it does not provide destination restriction feature at this moment.

However, it is fairly easy to setup such restrictions on the server via:

iptables

If you're running Sshwifty backend on a Linux server with iptables enabled, you can put limitations on which addresses and ports a Linux user can connect to. Then if you run Sshwifty backend with that user, the limitation will be applied to Sshwifty as well.

The rules should look like following, keep in mind you need to modify it to suit your needs

# Allowing specific destination
iptables -A OUTPUT -m owner --uid-owner {USERNAME} -d {SERVER_IP} -p tcp --dport {SERVER_PORT} -j ACCEPT
# And then, drop all other connections
iptables -A OUTPUT -m owner --uid-owner {USERNAME} -j DROP

After that, the user {USERNAME} will only be able to connect to TCP server {SERVER_IP}:{SERVER_PORT}. You can change {USERNAME} and {SERVER_IP}:{SERVER_PORT} based on your needs.

Also, you may need to configure iptables to allow access to the Sshwifty backend as well, as iptables may block wanted INPUT/OUTPUT connections after become active.

A Socks5 server that supports Access Restriction

Sshwifty backend supports Socks5 proxy which can be enabled by setting the Socks5 option. And I believe many Socks5 proxies supports outgoing access restriction feature, meaning you can setup such restrictions with those Socks5 servers, and then just ask Sshwifty to connect remotes via those Socks5 servers.

I don't have any particular recommendation about the which Socks5 server to choice as I don't personally use then, so you might have to test it on your own :)

[fu-sen]

Yup. I understand that in config "SharedKey" etc. But that is not the limit I am seeking. What I want is to specify the connection destination in config etc.

[fu-sen]

This is strongly supported by fTelnet, which is adopted by the English Telnet BBS.

https://www.ftelnet.ca/ http://embed.ftelnet.ca/wizard/ https://github.com/search?q=ftelnet

[nirui]

Hello,

I think both iptables and Socks5 outgoing filtration are sufficient enough to prevent such abuse.

Can you help me to understand your request better? Why you have to enforce such restriction through Sshwifty instead of iptables etc?

[fu-sen]

Repeat. I do not want it.

[nirui]

Repeat. I do not want it.

Hello,

I think there are some basic rules of the open source world you must understand: When you "Request"ing something, what you're actually doing is to trying to convince somebody to give you what you're wishing for, not making demand as if somebody owes you and must give you whatever you wanted.

And all that convincing takes effort.

I was trying to understand what you're wishing for, so I can evaluate all the option that I have in order to better implement the requested feature OR refuse it when I failed to found any good plan.

Simply "I do not want it" does not count as valid information here since it won't help me understand why the feature you requested is valuable enough for me to make some significant modifications to the software in order to introduce it. This won't change regardless how many times you "repeat"ed that.

I'm expecting something more informative in your next reply. If you're unable to produce such reply, please close this issue and just use fTelnet instead.

[fu-sen]

OK, I will explain why it is necessary.

Until now, no HTML5 Telnet client that refers to Japanese Telnet BBS (Shift_JIS) with a Web browser has been found. (fTelnet is only available in English and cannot be used at this stage. I was thinking about requesting fTelnet to support other languages) There is no Telnet client on the current PC. Windows can install the client relatively easily, but it is difficult on other OS. Due to this, the number of people who can connect with Japanese Telnet BBS at present is limited.

sshwifty has solved this problem. I link https://sshwifty.herokuapp.com/ as a connection method and introduce (These links are in Japanese):

• https://kusanonebbs.jp.eu.org/%E6%8E%A5%E7%B6%9A%E6%96%B9%E6%B3%95/
• https://blog.balloon.im/2020/01/%E4%BB%8A%E8%A6%8B%E3%81%A6%E3%81%84%E3%82%8B-web-%E3%83%96%E3%83%A9%E3%82%A6%E3%82%B6%E3%81%8B%E3%82%89%E4%BB%8A%E3%81%99%E3%81%90%E8%8D%89%E3%81%AE%E6%A0%B9-bbs-%E3%81%B8%E6%8E%A5%E7%B6%9A/

That's enough improvement, but I'd like to use sshwifty to reference my BBS and fellow BBS, put it on my server and publish it. It can allow many people to quickly connect to Japanese Telnet BBS. At least if I set up a sshwifty server on my BBS server, I can browse from the internet to the server with SSL. I may ask other BBS operators to set up an sshwifty server. (I really want to use ssh, but development of Japanese BBS program has been stopped for a while)

No other connections are required. Your statement is that I suffice if I build a sshwifty server locally, or use a sufficient Telnet/ssh client. So far, my request and your answer have never been consistent.

[nirui]

OK, I understood the core problem now.

I could theoretically make "Known remotes" tab to display nothing but the hosts you that specified and reject connection requests if the target remote is not on the host list.

I need few days to implement and test this feature, I'll let you know if there is any update.

[fu-sen]

Thanks for understanding. That is at least what BBS operators want. I don't rush for it. (BBS has a longer history than the Internet) I can wait for a while. 😊

[nirui]

Hello,

Thanks for the waiting.

Just letting you know that I've introduced a new feature called "Presets" into Sshwifty, which should satisfy this feature request.

The Presets feature will allow you to define presets which can automatically fill up connection configurations for your user, so they don't have to do it manually.

In addition to that, you can also prevent your user from connecting to remotes other than those already been defined in the presets by enabling OnlyAllowPresetRemotes option.

I've already deployed the change along with few temporary presets (including your BBS) to the demo service (https://sshwifty.herokuapp.com without enabling OnlyAllowPresetRemotes), so you can check it out by yourself and then send me some feedback.

The presets configuration used on the demo service currently is:

[
    {
        "Title": "SDF.org Unix Shell",
        "Type": "SSH",
        "Host": "sdf.org",
        "Meta": {
            "Encoding": "utf-8",
            "Authentication": "Password"
        }
    },
    {
        "Title": "瀚海星云（中国科学技术大学）",
        "Type": "Telnet",
        "Host": "bbs.ustc.edu.cn",
        "Meta": {
            "Encoding": "gbk"
        }
    },
    {
        "Title": "北極星（國立臺北大學）",
        "Type": "Telnet",
        "Host": "bbs.ntpu.edu.tw",
        "Meta": {
            "Encoding": "big5"
        }
    },
    {
        "Title": "Ballon BBS",
        "Type": "Telnet",
        "Host": "fusen.ddns.net:55223",
        "Meta": {
            "Encoding": "shift-jis"
        }
    }
]

However, the original plan, which was to

make "Known remotes" tab to display nothing but the hosts you that specified

Has been proven to be not ideal, as it will create difficulties for user who wants to see their connection history.

Notice: The change hasn't released yet, it only exists in the source code.

[nirui]

The feature has been released as part of version 0.2.0.

I'll close this issue for now, feel free to reopen it if you have any feedback.

[fu-sen]

I tried building from source based on the contents of the README after your report, but it failed. (Windows 10) I download the binary and check it.

[nirui]

Well, I guess the command is different for Windows 10.

You may try manually execute following command instead of npm run build:

set NODE_ENV=production
set CGO_ENABLED=0
webpack --mode=production --config=webpack.config.js
go build

Note that I don't have any machine running Windows at this moment, you have to test the commands by yourself :)

[fu-sen]

I will try building from source again later.

And I installed Sshwifty on my BBS server. (deleted)

Thanks @niruix ! 😄

[jhongsedecalp]

Hello, Is it possible only use the TELNET and automatic run the host:port

[nirui]

Hi, @jhongsedecalp.

Currently you can't disable the SSH feature alone, sorry. Maybe give the OnlyAllowPresetRemotes option a try? If you enable it, the users will only able to connect to the Telnet host that you defined.