Skip to content

feat: optionally limit access to nodes listed in authorized_keys file #68

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

feat: optionally limit access to nodes listed in authorized_keys file #68

wants to merge 4 commits into from
+144 −37

Conversation

Frando
Copy link
Member

@Frando Frando commented Jul 7, 2025

Allows to limit access to a dumbpipe server to nodes listed in an authorized_keys file.

Quoting from the new section in the README:

You can limit access to a dumbpipe listener through a keys file, similar to the authorized_keys file that SSH uses.
You can put the file wherever you want, e.g. at ~/.dumbpipe/authorized_keys. For the file to be used, and thus
access to be limited, specify the file path with the --authorized-keys (or -a) when launching dumbpipe.
When authorization is set, only connections from nodes listed in the file will be accepted.

Here's an example file:

# dumbpipe authorized nodes
148449487b53bb90382927634114457ef90d2a63127200fd8816a8dffb9d48c6 some-server
3827f5124d03d10f2f344d319a88c64c198c4db1335560ea6aad41ce2fb7c311 devbox

The file must contain a list of hex-encoded node ids, seperated by newlines.
The node ids may be followed by a comment, separated by a space from the encoded node id.
Lines starting with # are ignored and can be used as comments.

matheus23
matheus23 reviewed Jul 7, 2025
View reviewed changes
src/main.rs
@@ -341,23 +382,24 @@ async fn connect_stdio(args: ConnectArgs) -> Result<()> {
builder = builder.bind_addr_v6(addr);
}
let endpoint = builder.bind().await?;
eprintln!("endpoint bound with node id {}", endpoint.node_id());
let addr = args.ticket.node_addr();
let remote_node_id = addr.node_id;
// connect to the node, try only once
let connection = endpoint.connect(addr.clone(), &args.common.alpn()?).await?;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might be reasonable to check for the 403 error code here to provide a nice error message when you're not authorized. Perhaps saying something like "The remote node denied access: Your node ID is not configured as authorized in the remote authorized_keys file."

@n0bot n0bot bot added this to iroh Jul 7, 2025
@github-project-automation github-project-automation bot moved this to 🏗 In progress in iroh Jul 7, 2025
@maan2003
Copy link

maan2003 commented Jul 7, 2025

implemented based on cli flags, it is less state. maan2003@f22fc7e

@rklaehn
Copy link
Contributor

rklaehn commented Jul 28, 2025

Given that dumbpipe is supposed to be a very simple and lightweight tool, I am in favour of using just CLI args for this. Adding a file with an associated file format feels a bit heavy.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matheus23 matheus23 matheus23 left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
iroh
Status: 🏗 In progress
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Frando @maan2003 @rklaehn @matheus23