Ziti for the Win! - first service with no handholding (sort of)

1

Hi, I just wanted to share this win. I have FINALLY wrapped my head around the relationship between the services, the bind/dial and role attributes. I have a simple to repeat formula for building access to my existing linux systems with tunnelers.

Here is what I have come up with.

export NAME=pve
export PORT=8006

ziti edge create config "${NAME}".cfg.intercept.v1 intercept.v1 '{
   "addresses": ["*.jp"],
    "protocols": ["tcp"],
    "portRanges": [ {"low":'"${PORT}"',"high":'"${PORT}"'} ],
    "dialOptions": { "identity": "$dst_hostname" }
  }'

ziti edge create config "${NAME}".cfg.host.v1 host.v1 '{
  "address":"127.0.0.1",
  "protocol":"tcp", 
  "port":'"${PORT}"',
  "listenOptions": { "identity": "$tunneler_id.name" }
  }'

ziti edge create service "${NAME}" \
  --configs "${NAME}".cfg.intercept.v1,"${NAME}".cfg.host.v1 \
  --role-attributes "${NAME}".dial,"${NAME}".bind

ziti edge create service-policy "${NAME}".bind Bind \
  --identity-roles '#'"${NAME}.bind" \
  --service-roles '@'"${NAME}"

ziti edge create service-policy "${NAME}".dial Dial \
  --identity-roles '#'"${NAME}.dial" \
  --service-roles '@'"${NAME}"

# scorched earth protocol
ziti edge delete config "${NAME}".cfg.host.v1
ziti edge delete config "${NAME}".cfg.intercept.v1
ziti edge delete service "${NAME}"
ziti edge delete service-policy "${NAME}".bind
ziti edge delete service-policy "${NAME}".dial
1 Like
2

Nice!

I always reference the one I made last year for zssh. A few subtle differences here/there but nothing substantial.

Congratulations on getting to the point of grok'ing the idea!!!

:ziggy_dabs:

3

yeah, I found that and heavily plagiarized :smiley:

4

@TheLumberjack

It took some time for me to catch the point why / how intercept is not needed on your zssh example. In fact I got it after I saw your youtube video. https://www.youtube.com/watch?v=HFkT3NgjnJw 1:35

# intercept is not needed for zscp/zssh but make it for testing if you like
ziti edge create config "${service_name}"-client-config intercept.v1 '{"protocols":["tcp"],"addresses":["'"${service_name}.ziti"'"], "portRanges":[{"low":'"${the_port}"', "high":'"${the_port}"'}]}'
ziti edge create service "${service_name}" --configs "${service_name}"-client-config,"${service_name}"-host.v1

Maybe you can show in your example how the service look like without intercept

ziti edge create service "${service_name}" --configs "${service_name}"-host.v1
1 Like
5

Hrmmm.. Maybe I need to make another video demonstrating the 'why'. For anyone else that finds this thread let me give a brief explainer:

zssh is a purpose-built ssh client built primarily from the excellent golang standard library. You can find the zssh readme in the openziti test kitchen. It is a "ziti-native" application, meaning it has an OpenZiti SDK (the golang one) built into it. Because it has zero trust built into it, you don't need a tunneling app to use it. It's basically a bespoke tunneling application of its own with a singular purpopse: ssh'ing to remote machines. Because it has OpenZiti built in and because it doesn't require a client-side tunneler, there is no need to create/associate an "intercept" config.

Hope that makes sense. Glad you got it! :slight_smile:

6

In my example I was using SSH as an example... just because it was about as frictionless to setup on the hosts and have consistent tests. Plus I didn't know about ZSSH.

That said, I'm going to watch the video and see if I can get this figured out and tighten up the ssh. I have used similar modified SSH clients for services like AWS EC2 Instance Connect.