@@ -35,6 +35,8 @@ An SSH alternative featuring:
3535* SNI hiding mode
3636* can use UDP transport mode with DTLS and added reliability and flow-control
3737 layer
38+ * transparent roaming support with DTLS client sessions
39+ * suspend/resume support with DTLS client sessions
3840
3941Build
4042-----
@@ -75,6 +77,16 @@ before `make` in order to generate DH parameters before the build. Thats not str
7577as of TLS 1.3, since the Kex will most likely chose one of the ECDH variants, but if you customize
7678your setup, it is recommended to generate your own DH params.
7779
80+
81+ Legacy builds
82+ -------------
83+
84+ If ` make ` detects that TLSv1.3 is not available on the system or ` TLS_COMPAT_DOWNGRADE ` is
85+ defined, the binaries are built with TLSv1.2 only. This is to allow using it on legacy
86+ systems when no other options are available. Obviosuly, the built binaries are not
87+ compatible to normal builds, but include full support of all other features.
88+
89+
7890OpenSSL3 builds
7991---------------
8092
@@ -104,17 +116,18 @@ stealth@linux ~> ./crashd -h
104116
105117crypted admin shell (C) 2023 Sebastian Krahmer https://github.com/stealth/crash
106118
107- Usage: ./crashd [-U] [-q] [-a] [-6] [-D] [-H host] [-p port] [-A auth keys]
119+
120+ Usage: ./src/crashd [-U] [-q] [-a] [-6] [-D] [-H host] [-p port] [-A auth keys]
108121 [-k server key-file] [-c server X509 cert] [-L [ip]:port] [-S SNI]
109- [-t trigger-file] [-m trigger message] [-e] [-g good IPs] [-N] [-w ]
110- [-x socks5://[ip]:port]
122+ [-t trigger-file] [-m trigger message] [-e] [-g good IPs] [-N] [-R ]
123+ [-x socks5://[ip]:port] [-w]
111124
112125 -a -- always login if authenticated, despite false/nologin shells
113126 -U -- run as user (e.g. turn off setuid() calls) if invoked as such
114127 -e -- extract key and certfile from the binary itself (no -k/-c needed)
115128 -q -- quiet mode, turns off logging and utmp entries
116129 -6 -- use IPv6 rather than IPv4
117- -w -- wrap around PID to appear in system PID space (must be last arg!)
130+ -w -- setproctitle to `[kthreadd]` (must be last arg!)
118131 -H -- host to connect to; if omitted: passive connect (default)
119132 -p -- port to connect to when active connect; default is 2222
120133 -L -- local [ip]:port used for binding ([0.0.0.0]:2222)
@@ -130,6 +143,7 @@ Usage: ./crashd [-U] [-q] [-a] [-6] [-D] [-H host] [-p port] [-A auth keys]
130143 -N -- disable TCP/UDP port forwarding
131144 -D -- use DTLS transport (requires -S)
132145 -x -- use this SOCKS5 proxy when using active connect
146+ -R -- allow clients to roam sessions
133147 -S -- SNI to hide behind
134148```
135149
@@ -354,6 +368,8 @@ situation it should just work painlessly.
354368If you pass ` -X IP-address ` (must come before any other proxy argument), you can bind your local proxy
355369to an address different from ` 127.0.0.1 ` , so you can share the proxy in your local network.
356370
371+ There is also a client side SOCKS5 support available when using * crashc* with ` -x ` .
372+
357373
358374proxying based on SNI
359375---------------------
@@ -383,6 +399,34 @@ DTLS mode is still experimental (although working stable) and will switch to DTL
383399as it is implemented widely (DTLS 1.3 RFC was just finished 2022).
384400
385401
402+ Suspend/Resume/Roaming
403+ ----------------------
404+
405+ This is an experimental feature, although working stable.
406+
407+ When using DTLS sessions and * crashd* is started with ` -R ` , you will get the following:
408+
409+ * transparent roaming of the client sessions - including existing SOCKS connections - which
410+ allows to switch underlying physical layer, VPN, Interface, NAT or IP address without
411+ even noticing it
412+ * * crashc* may be terminated via ` SIGTERM ` , so it will dump the session to a ticket
413+ file (` -t ` ) which can later be resumed from by passing the correct dst IP: port and ticket
414+ but w/o the need to authenticate again (no ` -i ` ) - with full roaming support
415+
416+ In the 2nd case, ** the ticket file will not be encrypted** , so make sure you never leak it.
417+ This allows you to switch off your laptop and continue working from elsewhere or even
418+ share the ticket to another admin who then continues your session.
419+
420+ One thing is special with regards to bound server ports when using roaming: Due to
421+ UDP internals, the next open session for a followup "connect" will be on the next
422+ free port in the range of ` [port, port + 1000] ` and not on the same port as when using TCP.
423+ This needs to be as with roaming we cannot actually call ` connect() ` to virtually create a
424+ connected tuple, as the next session packet can arrive from anywhere - not just from the
425+ originating IP as happens with TCP. So when you start the server with ` -p 2222 ` and one
426+ roaming session already exists, the next one needs to "connect" to port ` 2223 ` . If the
427+ session at port ` 2222 ` is finished (not suspended, but really finished), port ` 2222 `
428+ will become available again to the next client.
429+
386430Mitigating traffic analysis
387431---------------------------
388432
0 commit comments