Comment by pingiun

7 hours ago

How do you proxy the SSH connections? I thought you could not do hostname-based proxying with the SSH protocol

4 comments

pingiun

Reply
crawshaw  7 hours ago

[exe.dev co-founder here] You are right, you cannot! It was quite a bit of work. We have a blog post in the works that should come out in a couple of weeks with all the details.

  • dangoodmanUT  2 hours ago

    I was just sufficiently nerd sniped by this, so let me know if I’m close:

    Based on what the commenter below found about sshpiper I believe that you use the ssh identity + the ip from the slot to resolve the vm target. sshpiper knows how to route the ssh identity + slot ip to the correct VM. I suspect you have a custom sshpiper plugin to do that routing.

    You use the slot record indirection so you can change the ip of a slot without having to update everyone’s A records across the customer base. It also makes it easy to shuffle around vm-slot mappings within a customer. I haven’t tested, but I’m guessing this dns server is internal (coredns?), and the ips too.

    I did something similar (ip + identity routing) for a project a few weeks ago. Yours is a lot more elegant with the dns indirection.

    I’m no ssh expert, but in theory you should be able to ssh -J exe.dev myvm.exe.xyz for a one-liner? Or maybe you don't even need it, if that DNS server within the ssh exe.dev is the same as the public DNS. Pardon for not testing it yet!

chiragjn  6 hours ago

Would be interested in this too, I did some work in the past to make it work via Envoy proxy using HTTP CONNECT but that requires plugging in proxytunnel[0] or nc on client side.

  > $ nslookup abc.exe.xyz  
  > abc.exe.xyz canonical name = s001.exe.xyz.  
  > $ telnet s001.exe.xyz 22  
  > Trying 100.20.12.135...  
  > Connected to s001.exe.xyz.  
  > Escape character is '^]'.  
  > SSH-2.0-SSHPiper

Looks like it uses sshpiper[1]?

[0] https://github.com/proxytunnel/proxytunnel

[1] https://github.com/tg123/sshpiper

dizzled  2 hours ago

Looks like it's a combination of SSH server IP address + public key.

Each VM you create (up to 25 of them) gets a different CNAME record of the form s0NN.exe.xyz where NN ranges from 01 to 25. Each of these names, from s001.exe.xyz to s025.exe.xyz, resolves to a different IP address.

Therefore the individual VM can be distinguished this way, and the account they are associated with can be identified using the SSH public key that is used to authenticate.