Open stokito opened 1 year ago
Hostkeys of SSH providers are included into the package. So once connecting users will be safe and they don't have to trust to a key that they didn't saw before. They still can check by eyes that fingerprint is the same as the providers says. If a key is compromised then users are in danger. We must update the sshtunnel with a new key but not all users updating their system. The attacker can make a MITM but I hope that users will use an additional encryption e.g. TLS. Still, most of the SSH providers are making the TLS offloading. Anyway this is better then Trust of first usage (TOFU).
Main free SSH providers:
Pre-install known hostname for the localhost.run. The problem is that the RSA pubkey is big. Need to ask generate a ed25519.
Support for localhost.run out of the box and extract the domain.
Interesting that SSH supports dynamic allocation of a remote port. If you specified 0 then a server may take any free port and return it to you. To get it you can execute
ssh -O forward
. https://unix.stackexchange.com/a/584505/162125Maybe on the SSH protocol level it's also possible to request an external domain that was allocated for you. Then there will be no need for execution of a special command or checking logs to get the domain.