Add experimental SSH management tool

[plorenz]

Allow SSH to controllers and routers over the mgmt and control channels.

Note: Both the enabled and enableExperimentalFeature flags must be set to true.

Using a local ssh server. If dialing a local service, the format must be 127.0.0.1:<port>. No external IP or hostname may be used.

mgmt:
  pipe:
    enabled: true
    enableExperimentalFeature: true
    destination: 127.0.0.1:22

If there's no ssh server running, an embedded ssh server may be used.

mgmt:
  pipe:
    enabled: true
    enableExperimentalFeature: true
    destination: embedded-ssh-server
    authorizedKeysFile: /home/plorenz/tmp/authorized_keys # optional, will default to $HOME/.ssh/authorized_keys
    shell: /usr/bin/bash # optional, will default to `/bin/sh`

If you want to enable the feature, but don't want ssh access enabled on the controller itself, don't specify a destination.

Example:

mgmt:
  pipe:
    enabled: true
    enableExperimentalFeature: true

The feature must be enabled on each controller and router you want to access. Because access to routers is through a controller, the feature must be enabled on both the controller and the router, though as noted above, ssh access to the controller itself is not necessary.

Example use:

• ziti fabric ssh --key /path/to/keyfile ctrl_client
• ziti fabric ssh --key /path/to/keyfile ubuntu@ctrl_client
• ziti fabric ssh --key /path/to/keyfile -u ubuntu ctrl_client
• ssh -i ~/.fablab/instances/smoketest/ssh_private_key.pem -o ProxyCommand='ziti fabric ssh router-east-1 --proxy-mode' ubuntu@router-east-1
• scp -i ~/.fablab/instances/smoketest/ssh_private_key.pem -o ProxyCommand='ziti fabric ssh ctrl1 --proxy-mode' ubuntu@ctrl1:./fablab/bin/ziti .

[emoscardini]

@plorenz For the question

Should it be 127.0.0.1 instead of localhost?

IMO, I would go with 127.0.0.1 instead of localhost. The localhost is still a resolvable name & therefore can be redirected to something other than 127.0.0.1.