arm64 version?

[mrbluecoat]

Can you add an ARM 64-bit version to your releases?

[mrbluecoat]

For those that need to build it:

cd /tmp
git clone https://github.com/openziti-test-kitchen/zssh.git --recursive
cd zssh
go build ./zssh/zssh/main.go
mv main /usr/local/bin/zssh
cd /tmp
rm -rf /tmp/zssh

[mrbluecoat]

p.s. name collision: https://packages.ubuntu.com/jammy/zssh

[dovholuknf]

Yeah. I'll see if I can get that done today. Thanks for the request

[dovholuknf]

Would you be so kind as to give https://github.com/openziti-test-kitchen/zssh/releases/download/0.0.14/zssh-linux-arm64 a try? file shows that it's arm 64 but - the proof will be when someone tries it. I don't have an arm64 linux machine handy. Do you mind testing it out on our behalf?

file zssh-linux-arm64
zssh-linux-arm64: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=67f01379468a944f37fc07ca94ec806274186f7b, for GNU/Linux 3.7.0, not stripped

[mrbluecoat]

It appears to be valid but I'm still learning OpenZiti so I'm not exactly sure how to test. On a Linux server I ran:

source /dev/stdin <<< "$(wget -qO- https://raw.githubusercontent.com/openziti/ziti/release-next/quickstart/docker/image/ziti-cli-functions.sh)"; expressInstall
startZitiController
startExpressEdgeRouter
zitiLogin
ziti edge create service zssh

On another aarch64 Linux machine I downloaded the binary.

I'm not exactly sure what to do next. Am I supposed to create an identity json file?

ziti edge create identity user "NewUser" -o NewUser.jwt
ziti edge enroll --jwt NewUser.jwt --out NewUser.json

And then scp the json file to the aarch64 machine to run zssh NewUser -c NewUser.json ?

Your https://openziti.io/zitifying-ssh blog page video simply shows zssh ClintLinuxVM which feels a bit like

[dovholuknf]

I do love drawing the rest of the owl! I'm sorry, I seem to have posted the rest of the owl on the wrong issue!!! :( Here ya go

If you only need to login to the switch, then I would do the following:

1. make an identity for the switch (server)
2. move the .jwt for the switch, to the switch
3. download ziti-edge-tunnel to the switch (and unzip it)
4. start use ziti-edge-tunnel to enroll the identity
5. start ziti-edge-tunnel in 'run-host' mode with that identity: ./ziti-edge-tunnel run-host -i switch.json (or whatever identity file you called it)
6. create and authorize a zssh service following the cheatsheet
7. make a zssh client identity
8. download zssh
9. use zssh to enroll the client identity
10. use zssh and zssh to the switch

I made this video that shows that whole process if interested https://youtu.be/HFkT3NgjnJw

You'll end up with an ssh session to a machine that has no open firewall ports and only needs outbound internet that works/looks like this:

[dovholuknf]

(I posted this over on the other issue by mistake - you'll probably find that soon enough over here https://github.com/openziti-test-kitchen/zssh/issues/23#issuecomment-1224869908) Apologies

[mrbluecoat]

Ah, the joys of reading my email oldest to newest :smile: Thanks. I'll let you know how it goes.

[mrbluecoat]

p.s. your https://github.com/openziti/ziti-doc/blob/main/docfx_project/articles/zitification/zitifying-ssh/zssh-cheat-sheet.md is a bit off for markdown but the raw is helpful

[dovholuknf]

yeah. it was supposed to be a .txt file, but muscle memory probably typed .md when making the file for whatever reason. it's definitely 'messy' when you don't look at it raw...

[mrbluecoat]

Is ziti-edge-tunnel the same as ziti-tunnel that's installed with expressInstall?

[dovholuknf]

no. it's a different repo linked in the video https://github.com/openziti/ziti-tunnel-sdk-c/releases/latest

[dovholuknf]

ziti-tunnel is basically deprecated. it still works but some day it'll probably be removed in favor of ziti-edge-tunnel

[mrbluecoat]

I guess I assumed OpenZiti had NAT-traversal. I'll need to repeat the test with a public cloud server another day. Step 9:

ERROR failed to parse JWT: could not retrieve token URL certificate: could not contact remote server [https://test-pc:1280]: Get "https://test-pc:1280": dial tcp: lookup test-pc: no such host

That said, I think the arm64 file works so I'll close this ticket and resume my focus on the other ticket you linked.

[dovholuknf]

I guess I assumed OpenZiti had NAT-traversal.

Now I'm not a network engineer, but to me I think it really depends on what you're doing and how you're doing it and how much NAT traversal we're talking. realistically, zssh can traverse any NAT because the way ziti works is by establishing an outbound connection to a public "edge router". We can (and imo how OpenZiti shines) take IP out of the equation entirely. That's some of the beauty of OpenZiti. Once you've made that connection to the OpenZiti network - NAT doesn't even really "exist" anymore to me because you only need to traverse the OpenZiti overlay. If that makes sense?

The tunneling voip over OpenZiti blog might give you more insights into some of the more detailed version of how OpenZiti does NAT traversal.

Another pretty awesome video you might really enjoy is one by one of our talented network engineers and head of our solution engineering team. He shows you how to use OpenZiti as a LAN gateway. You might like that one https://youtu.be/H0qGRBMGNIA

[mrbluecoat]

Yes, that LAN gateway video was perfect - thank you!