search

openziti-test-kitchen / zssh

Ziti SSH
Apache License 2.0
35 stars 7 forks source link

Network Layer #23

Closed mrbluecoat closed 2 years ago

mrbluecoat commented 2 years ago

Sorry if this is documented elsewhere, but does OpenZiti operate at Layer 2? https://openziti.discourse.group/t/where-to-begin-with-openziti/426/33?page=2 says

ziti operates also at a lower level… within the TLS at layer 2

So if I have a managed switch running a Linux transparent bridge I could use zssh to login?

dovholuknf commented 2 years ago

Ziti absolutely does not operate at layer 2. It's layer 3+. I corrected that statement further down that thread:

personally wouldn’t consider OpenZiti on layer 2 of the OSI model. Realistically, OpenZiti probably operates somewhere after layer 4 (TCP/IP) and before layer 7 (application). OpenZiti is an ‘overlay’ network. It’s a different way of thinking for sure.

Tunneling apps though - they do interact with layer 3/4 (TCP, IP, Ports etc). Tunneling apps are a step along the OpenZiti journey. Most people start here because it usually just easier to get going for new learners for that reason.

Zssh explicitly dials a service by identity name. At this time, you would be required to have a matching ziti identity. So you could use zssh to login to the switch, but not anything attached that switch.

I think a feature could be added to zssh that would allow you to connect through the bridge, allowing you to connect to anything attached to the bridge but it would have to be developed.

mrbluecoat commented 2 years ago

I guess I should have kept reading that post 😆

My use case only needs to login to the switch (no other devices on the network) so I'm interested on how this could be set up. Specifically, if I have a device running Linux and two NICs and I configure it as a Layer 2 transparent bridge between a modem connected to the internet and a router that provides the dhcp/nat for a small network, how can I ssh (or zssh) into the transparent bridge?

dovholuknf commented 2 years ago

If you only need to login to the switch, then I would do the following:

  1. make an identity for the switch (server)
  2. move the .jwt for the switch, to the switch
  3. download ziti-edge-tunnel to the switch (and unzip it)
  4. start use ziti-edge-tunnel to enroll the identity
  5. start ziti-edge-tunnel in 'run-host' mode with that identity: ./ziti-edge-tunnel run-host -i switch.json (or whatever identity file you called it)
  6. create and authorize a zssh service following the cheatsheet
  7. make a zssh client identity
  8. download zssh
  9. use zssh to enroll the client identity
  10. use zssh and zssh to the switch

I made this video that shows that whole process if interested https://youtu.be/HFkT3NgjnJw

You'll end up with an ssh session to a machine that has no open firewall ports and only needs outbound internet that works/looks like this:

image

dovholuknf commented 2 years ago

I am closing this issue for now. I think it was answered. If not, please re-open.

mrbluecoat commented 2 years ago

The original question was answered so I'll leave this as closed. Regarding the follow-up task, I got stuck trying to do the expressInstall on an Oracle Cloud instance:

1. Create free Oracle Cloud ARM instance: https://www.youtube.com/watch?v=4642CoP0q7Y

2. On the instance page, click "Copy" next to "Public IP address" and save it for later reference.

3. Click "Show" next to "Internal FQDN" and copy it for use later.

4. Click the link next to "Subnet"

5. Click the "Default Security List" link at the bottom of the page

6. Click "Add Ingress Rules" button and configure:

* Source Type: CIDR
* Source CIDR: 0.0.0.0/0
* IP Protocol: TCP
* Source Port Range: {leave blank for All}
* Destination Port Range: 6262,8441,8442,10080
* Description: OpenZiti

7. Click "Add Ingress Rules" button

8. SSH into your cloud instance and run: 

sudo apt install -y jq wget psmisc
sudo apt install ca-certificates --reinstall
sudo update-ca-certificates -f

9. Install OpenZiti https://openziti.github.io/ziti/quickstarts/network/hosted.html

export EXTERNAL_DNS="value-from-step-3-above"

export EXTERNAL_IP="$(curl -s eth0.me)"       
export ZITI_EDGE_CONTROLLER_IP_OVERRIDE="${EXTERNAL_IP}"
export ZITI_EDGE_ROUTER_IP_OVERRIDE="${EXTERNAL_IP}"
export ZITI_EDGE_CONTROLLER_HOSTNAME="${EXTERNAL_DNS}"
export ZITI_EDGE_ROUTER_HOSTNAME="${EXTERNAL_DNS}"
export ZITI_EDGE_CONTROLLER_PORT=8441
export ZITI_EDGE_ROUTER_PORT=8442
source /dev/stdin <<< "$(wget -qO- https://raw.githubusercontent.com/openziti/ziti/release-next/quickstart/docker/image/ziti-cli-functions.sh)"; expressInstall

# throws these errors:
******** Setting Up Controller ********
wrote CA file to: /home/ubuntu/.ziti/quickstart/webmaster/pki/cas.pem
Controller configuration file written to: /home/ubuntu/.ziti/quickstart/webmaster/webmaster.yaml
ziti-controller initialized. see /home/ubuntu/.ziti/quickstart/webmaster/webmaster-init.log for details
ziti-controller started as process id: . log located at: /home/ubuntu/.ziti/quickstart/webmaster/webmaster.log
waiting for the controller to come online to allow the edge router to enroll
RESTY 2022/09/08 04:14:08 ERROR Get "https://REDACTED.oraclevcn.com:8441/version": x509: certificate signed by unknown authority, Attempt 1
RESTY 2022/09/08 04:14:08 ERROR Get "https://REDACTED.oraclevcn.com:8441/version": x509: certificate signed by unknown authority, Attempt 2
RESTY 2022/09/08 04:14:08 ERROR Get "https://REDACTED.oraclevcn.com:8441/version": x509: certificate signed by unknown authority, Attempt 3
RESTY 2022/09/08 04:14:09 ERROR Get "https://REDACTED.oraclevcn.com:8441/version": x509: certificate signed by unknown authority, Attempt 4
RESTY 2022/09/08 04:14:09 ERROR Get "https://REDACTED.oraclevcn.com:8441/version": x509: certificate signed by unknown authority, Attempt 5
RESTY 2022/09/08 04:14:11 ERROR Post "https://REDACTED.oraclevcn.com:8441/authenticate?method=password": x509: certificate signed by unknown authority, Attempt 1
RESTY 2022/09/08 04:14:11 ERROR Post "https://REDACTED.oraclevcn.com:8441/authenticate?method=password": x509: certificate signed by unknown authority, Attempt 2
RESTY 2022/09/08 04:14:11 ERROR Post "https://REDACTED.oraclevcn.com:8441/authenticate?method=password": x509: certificate signed by unknown authority, Attempt 3
RESTY 2022/09/08 04:14:11 ERROR Post "https://REDACTED.oraclevcn.com:8441/authenticate?method=password": x509: certificate signed by unknown authority, Attempt 4
RESTY 2022/09/08 04:14:12 ERROR Post "https://REDACTED.oraclevcn.com:8441/authenticate?method=password": x509: certificate signed by unknown authority, Attempt 5
error: unable to authenticate to https://REDACTED.oraclevcn.com:8441. Error: Post "https://REDACTED.oraclevcn.com:8441/authenticate?method=password": x509: certificate signed by unknown authority