SSH into your laptop using their Github handle
Instant SSH Everywhere
Wouldn’t it be great to allow a fellow developer to quickly and securely SSH into your laptop when you’re in the middle of a debugging session even if you are on two separate networks behind NAT?
A few months ago we released a free tool, Teleconsole, we built so we could do exactly that. We are a distributed team, with bare metal servers sitting in our San Francisco office, several AWS and Azure regions and a bunch of customer environments we are sometimes asked to jump into.
Teleconsole makes it really easy to share a session: the inviting party simply types the following into the terminal on any UNIX machine:
Which produces something like:
Your Teleconsole ID: 02f8cf345e9f00c1ee498ce410e8a2d10fb8a512 WebUI for this session: https://teleconsole.com/s/02f8cf345e9f00c1ee498ce410e8a2d10fb8a512
Then you can just share the Teleconsole ID to invite someone and they just have to type the following to jump into your session:
$ teleconsole join 02f8cf345e9f00c1ee498ce410e8a2d10fb8a512
This is how we invite each other to any server or laptop. It works behind most firewalls without messing around with VPNs.
Here’s a short video showing how it works:
Adding SSH Keys
This is great but it also means that anybody with this session ID can now join your session.
This is not a concern for most situations: guessing the ID is pretty hard with 2^320 combinations. But what if someone attacks the channel you’ve shared the session ID over or it otherwise falls into the wrong hands?!
Well, now you can pass an SSH public key to
teleconsole as an argument
-i flag, and only folks with a corresponding private key will be able to
To make it even easer (as suggested by the Teleconsole community) the public key can be specified not only as a file but also as a Github handle! So you can do both:
# use the public key stored in a file: $ teleconsole -i kontsevoy.pub # or you can use a public key of "kontsevoy" account on Github: $ teleconsole -i kontsevoy
Either way, Teleconsole will give you a session ID to share that only
kontsevoy can use to join, because he has a private SSH key in his
directory which matches his public key:
$ teleconsole -i kontsevoy Starting local SSH server on localhost... Requesting a disposable SSH proxy on teleconsole.com for kontsevoy... Checking status of the SSH tunnel... Your Teleconsole ID: 8cbec01f330fb52aedff90e43db1c8bea2455cb6 WebUI is not available for key-restricted sessions
Teleconsole will make an API call to Github, request the public key of
kontsevoy and will configure your session to only let
kontsevoy in and
nobody else. This way even if someone steals the session ID, they will not be
able to join because they don’t have the private part of the key, only
kontsevoy has that.
konstevoy can join your terminal session using that
Teleconsole ID, just as before:
$ teleconsole join 8cbec01f330fb52aedff90e43db1c8bea2455cb6 Teleconsole: joining session... Matching key: /Users/ekontsevoy/.ssh/id_rsa taylorwakefield ~:
It’s really that easy…
Thanks to Teleconsole users for this neat idea. Hope you enjoy!
Teleport cybersecurity blog posts and tech news
Every other week we'll send a newsletter with the latest cybersecurity news and Teleport updates.
Tech behind Teleconsole
The Teleconsole code is on Github. Feel free to poke around to understand how it works. It appears to be a tiny project, but only because it’s standing on the shoulders of giants, namely:
- Golang’s excellent SSH implementation
- Teleport SSH Server - our open source SSH server which enables on-the-fly SSH bastions, among other cool things.
Subscribe to the updates to this blog to receive news related to our SSH tech!
- Aggregating SSH logs into SumoLogic
- Teleport - SSH authentication with 2FA
- Managing Kubernetes: Part I. SSH certificates