ssh browser

[rufwoof]

Https end to end encrypts the content of data being exchanged thereby protecting it from man in the middle. Initially however the two end points have to handshake openly in order to prepare/setup the encryption - typically using something like this. That occurs for each and every site you visit (either directly or via one web page drawing in material from other web pages/sites). Your ISP and hence local state authorities potentially get to see/monitor all of those open exchanges - they know exactly which sites you visited/obtained content from.

Tor browsers in effect better hide what content/sites are visited, in many respects similar to ssh, where your local ISP gets to see you connected, but subsequent connections are tunneled through a encyrpted link so they see neither the site nor content (other than the encrypted data flow).

With ssh you can ssh into one box, and then ssh from that into another box ...etc. So that at your local end your ISP/state only sees the initial connection. With that in mind I set up a simple ssh server session, inside a EasyOS container, that has no password and no key access i.e. is open to all. For protection I allocated that its own unique shell, i.e. not /bin/bash ... but a simple script that just loops around asking for a command and a case statement that runs any valid command, and where the commands available are extremely limited. Expanding upon that I added methods to show dialogs, play sounds, videos ...etc. Being ssh based, its all textual, so those dialogs, playing sounds/videos can all be performed from cli (for videos it plays on the framebuffer).

Looking around however and I've not found any form of ssh based browser. Similarly in the absence of such very few sites actually accommodate using ssh instead of https/http. But there would seem to be a opening for such. Given a ssh browser that worked from cli and the hard of sight/hearing might be more attracted to predominately textual based web sites over that of advert bloated https content.

For a feel I've set up ssh server on my desktop, that's only available when my desktop PC is running and when I have the container loaded. Give it a try for yourself by opening a terminal and running

Code: Select all

ssh -t -p 443 ssh@ssh.ddnsfree.com

Once in, type help for the available (limited) commands available. You might like to try one of the example dialogs for instance entering ... gauge
Or listen to a sound stream, again open a terminal and enter ...

Code: Select all

ssh -p 443 ssh@ssh.ddnsfree.com 'mp3test' | mpv -

(or change mpv to vlc if you prefer vlc). Or watch a test video using

Code: Select all

ssh ssh-p 443 ssh@ssh.ddnsfree.com 'mkvtest' | mpv - 

Pull all of that together and its potentially the foundation for creating a ssh based browser. And given a ssh browser ssh content would potentially follow (wider adoption of provision of ssh based content in addition to https content).

Just a thought.

EDIT: Edited for change of url to ssh@ssh.ddnsfree.com running on port 443 (as that is more inclined to be accessible (usually https's port) from the likes of internet cafe)

[fabrice_035]

I don't know if I've all understood, but is that what you're proposing?

https://alexandre.alapetite.fr/doc-alex ... ex.fr.html

https://www.deepl.com/

A vpn is not enough?

[tallboy]

Code: Select all

ssh: Could not resolve hostname jfholings.ddnsfree.com: Name or service not known

[s243a]

Code: Select all

ssh: Could not resolve hostname jfholings.ddnsfree.com: Name or service not known

I think you might have to install some special dns service for this to work. For example:
http://www.ddnsfree.org/

but that was just one link that came up in a google search and I haven't investigated enough to know if it is relevant.

[tallboy]

No problem, I found that there is just a misspelled address in rufwoof's thread! I just copied and pasted the text, and therefore also the address with a missing d in jfholdings.

I also changed mpv to mplayer, and I listen to the music right now! Just my taste in music too!

==========================================================================
Opening audio decoder: [mp3lib] MPEG layer-2, layer-3
mpg123: Can't rewind stream by 508 bits!
AUDIO: 44100 Hz, 2 ch, s16le, 128.0 kbit/9.07% (ratio: 16000->176400)
Selected audio codec: [mp3] afm: mp3lib (mp3lib MPEG layer-2, layer-3)
==========================================================================
AO: [alsa] 48000Hz 2ch s16le (2 bytes per sample)
Video: no video
Starting playback...
A: 537.5 (08:57.4) of -33.5 (unknown) 1.5%

[rufwoof]

Thanks. I've corrected the OP for that misspelling.

ddnsfree is just a service I use that redirects a fixed domain name i.e. jfholdings.ddnsfree.com ... to a variable IP i.e. if your ISP changes the IP allocated to you, or you change site and pick up another/different IP.

I've just blocked the whole of China IP's due to the blitz of ssh scans that originate out of China. A bit unkind on the genuine users in China, but easier for me to do that than block on a repeated as and when detected basis, when the system repeatedly resets to clean/fresh at each reboot.

At least I think they're blocked. Don't know of a easy means to test that myself. I'm just using a crude method of

Code: Select all

#!/bin/sh
# Pull the latest IP set for China
cd /etc
wget -P . http://www.ipdeny.com/ipblocks/data/countries/cn.zone
# Add each IP address from the downloaded list into the ipset 'china'
for i in $(cat /etc/cn.zone ); do 
   iptables -I INPUT 1 -s $i -j DROP 
done

Subsequently running

Code: Select all

iptables -L -n --line

shows them as blocked, but I lack the skill to physical test that (rely upon what the logs reveal over time).

I should really be just scanning/setting once, and then iptables-save and then iptables-restore at the next reboot, but the list of IP's is quite dynamic so that iptables-save would need relatively frequent updating/refreshing anyway.

EDIT : changed the above from using -A to using -I INPUT 1 ... as iptables is order/sequence specific and the default puppy has a allow all as the first line which overrides all subsequent lines i.e. DROP's are ignored if specified beneath that. By inserting each DROP at the start then they appear at the top and are honored. I tested that works by using a online/browser ssh service and saw that permitted without a DROP rule, then when I inspected /var/log/message and determined the IP they used to connect I added (inserted at line 1) a DROP for that IP and the subsequent browser ssh connect attempt was indeed blocked. With the -A (append) method, the undesired connection was still possible.

[rufwoof]

I don't know if I've all understood, but is that what you're proposing?

https://alexandre.alapetite.fr/doc-alex ... ex.fr.html

https://www.deepl.com/

A vpn is not enough?

Not really. Rather just using ssh protocol rather than https, as that is void of javascript, is more textual (better for hard of sight/hearing), less commercial (void of adverts). All the elements are there for potentially forming a browser, and given a browser more might opt to provide both https and ssh based content (web sites).

Tunnelling is potentially part of that however, as that provides better privacy at your local ISP/state end.

[rufwoof]

Ah!

For multiple concurrency I was hitting problems with ssh. But then found that adding

Code: Select all

Host ssh.ddnsfree.com                                                                                                        
    User ssh                                                                          
    HostName ssh.ddnsfree.com                                                                           
    ControlMaster auto
    ControlPath ~/.ssh/%r@%h:%p

to the ssh client's /etc/ssh/ssh_config resolves those issues.

Without ControlPersist, once the first SSH session you open is closed, all other sessions on that connection are closed as well. This can lead to a variety of surprising behavior: if you exit the initial SSH shell while other sessions are sharing the connection, the process will just hang. If you send it a Ctrl-C, all of those other sessions will be abruptly terminated. In contrast, with ControlPersist set, the master connection will remain open for the specified number of seconds after your last SSH session on that connection has exited.

Now watching a video and viewing a image and playing a mp3 through ssh via different terminal windows works fine.

[rufwoof]

I see that Win10 PowerTools now has a ssh option. Not sure if that works better or less well than PuTTY.

I've attempted to tweak my

Code: Select all

ssh -t -p 443 ssh@ssh.ddnsfree.com

to be relatively consistent across WIndows and Linux (both console and within tmux). The current oddity is Win10's ssh where the ncurses menu lines are showing as characters rather than lines.

[rufwoof]

mpv seems to work well at playing videos and sound via ssh.

Looking around for a image viewer that accepts pipe and feh looked to fit the bill, but then I noticed that mpv can also be used as a image viewer, just set the display duration to infinity ...

Code: Select all

ssh ssh@ssh.dnsfree.com 'pngtest' | mpv --image-display-duration=inf -

[rufwoof]

This provides a feel for the workings of the sort of thing I have in mind for a ssh based browser ...

Note the comments i.e. you need mpv installed, and also need to tweak your /etc/ssh/ssh_config file

Also you may have to run ... killall mpv ... after closing things down, depending upon how you close the windows down.

Again only works if my desktop PC is powered up, and its not a 24/7 powered up desktop (I really should set up a 24/7 version).

Code: Select all

#!/bin/sh
#
# Rufwoof April 2019
#
# Assumes mpv and sakura are installed
#
# Currently not a very good working example, but it does seem to work
# of using ssh as a form of browser
# The ssh server connected to here is open, i.e. anyone with the 
# ssh@ssh.ddnsfree.com location can access the content.
# That runs a restricted shell, so limited commands available
# This script demonstrates multiple connections that connect to
# a interactive command line session, a dialog based menu session and
# a ncurses based menu. It also start a video, mp3 sound track and 
# displays a picture
#
# you may have to run killall mpv after running this, depending upon how
# you closed things down. I've set it so closing the cli window 
# should killall mpv and sakura i.e. tidy up.
#
# IMPORTANT ....
# ... also ensure you have the following configuration settings at the end of
# your /etc/ssh/ssh_config
#
#    User ssh                                                                   
#    HostName ssh.ddnsfree.com                                                  
#    ControlMaster auto                                                         
#    ControlPath ~/.ssh/%r@%h:%p 
#
# ... AS THAT ENSURES YOU ROUTE ALL SSH TRAFFIC VIA THE SINGLE CONNECTION.
# OTHERWISE ONE SSH CONNECTION CLOSING CAN CLOSE ALL OTHERS
#

# Show the ssh servers cli
sakura --geometry 80x22+5+5 -e "ssh -t ssh@ssh.ddnsfree.com" &
PID=$!    # preserve the cli window as the key window i.e. close it and the others close
# and show a picture
ssh ssh@ssh.ddnsfree.com 'pngtest' | mpv --geometry 594x359-12-31 --image-display-duration=inf - &
# and play a video
ssh ssh@ssh.ddnsfree.com 'videotest' | mpv --geometry 604x365-8+24 - &
# and show a ncurses example menu
sakura --geometry 67x25+7-35 -e ssh -t ssh@ssh.ddnsfree.com nmenu &
# and show a DIALOG menu
sakura --geometry 54x22-0+118 -e ssh -t ssh@ssh.ddnsfree.com menu &
# and play some music
ssh ssh@ssh.ddnsfree.com 'mp3test' | mpv - &
# kill -0 ... checks for existance (not very intuitive!)
while kill -0 $PID >/dev/null 2>&1
do
	sleep 1
done
killall mpv sakura