← 返回 Skills 市场
ctz168

Sshtunnel

作者 SamAI.cc · GitHub ↗ · v4.7.0 · MIT-0
cross-platform ✓ 安全检测通过
54
总下载
1
收藏
0
当前安装
3
版本数
在 OpenClaw 中安装
/install sshtunnel
功能描述
Expose local SSH servers to the public internet via aitun TCP tunnel with SSH-over-TLS routing. Each subdomain gets its own SSH endpoint on port 22 with perf...
使用说明 (SKILL.md)

SSH Tunnel - Remote SSH Access via SSH-over-TLS

When to Use

Use this skill when:

  • You need to access a remote machine via SSH that is behind NAT, firewall, or a private network
  • You want to expose a local SSH server so a colleague or client can connect remotely
  • You are running SSH in a container or VM that has no public IP and need to make it reachable
  • You want to provide temporary SSH access for pair programming, debugging, or server maintenance
  • You need to connect to a development machine from another location without VPN or port forwarding
  • Multiple users each need their own SSH endpoint on the same server port

Do NOT use this skill when:

  • The SSH server already has a public IP and is directly reachable
  • You only need to transfer files (use sendfile instead)
  • You want to expose an HTTP service (use aitun-tunnel instead)

Instructions

Step 1: Install aitun

pip install aitun

Or verify it is already installed:

which aitun || pip show aitun

Step 2: Ensure SSH server is running locally

Verify the local SSH daemon is running and accessible:

# Check if sshd is running
ps aux | grep sshd

# Or check if port 22 is listening
ss -tlnp | grep :22

# Test local SSH connection
ssh localhost echo "SSH OK"

If sshd is not running, install and start it:

# Ubuntu/Debian
sudo apt install openssh-server -y
sudo systemctl start sshd

# CentOS/RHEL
sudo yum install openssh-server -y
sudo systemctl start sshd

# macOS (usually pre-installed)
sudo systemsetup -setremotelogin on

Step 3: Create a TCP tunnel for SSH

SSH uses TCP port 22. Use aitun's --tcp-ports flag to forward this port. TCP forwarding requires an auth token (register at https://aitun.cc):

aitun -p 22 --tcp-ports 22 -k YOUR_TOKEN &
AITUN_PID=$!
sleep 3

The output will show:

[TCP] ssh -> localhost:22 (subdomain: yourname.t.aitun.cc:22)

Step 4: Configure SSH ProxyCommand

On the remote client machine (the one connecting TO your SSH server), add this to ~/.ssh/config:

Host *.t.aitun.cc
    ProxyCommand aitun ssh-proxy %h %p

This tells SSH to route connections through aitun ssh-proxy, which wraps SSH in TLS with the correct SNI for subdomain routing.

Step 5: Connect remotely

From any machine with aitun installed:

# Direct SSH — just like a normal server!
ssh [email protected]

# With SSH key
ssh -i ~/.ssh/id_rsa [email protected]

# With verbose output for debugging
ssh -v [email protected]

Step 6: Clean up

When done, stop the tunnel:

kill $AITUN_PID 2>/dev/null

How SSH-over-TLS Works

aitun v4.7.0 uses SSH-over-TLS for perfect multi-tenant SSH on shared ports:

ssh [email protected]
        ↓
  ProxyCommand: aitun ssh-proxy wraps SSH in TLS (SNI=acer.t.aitun.cc)
        ↓
  Server terminates TLS, sees SNI → routes to "acer" tunnel
        ↓
  Decrypted SSH stream → tunnel client → localhost:22

Why TLS? SSH is a plaintext protocol that doesn't send hostname information. Without TLS, there's no way to tell which subdomain an SSH connection is targeting. By wrapping SSH in TLS, we get SNI (Server Name Indication) which tells the server exactly which subdomain to route to.

Result: Every subdomain can have its own SSH on port 22 — no conflicts, no ambiguity, no --tcp-default needed.

Advanced Usage

Forward Multiple Ports (SSH + MySQL)

aitun -p 22 --tcp-ports 22,3306 -k YOUR_TOKEN &
AITUN_PID=$!
sleep 3

SSH into a Container

# If SSH is running in a Docker container on a non-standard port
aitun -p 2222 --tcp-ports 2222 -k YOUR_TOKEN &

# Then connect (add port to ssh config):
ssh -p 2222 [email protected]

Use with SSH Config (Recommended)

Add to ~/.ssh/config on the remote client:

Host *.t.aitun.cc
    ProxyCommand aitun ssh-proxy %h %p

Host my-remote-dev
    HostName yourname.t.aitun.cc
    User username
    IdentityFile ~/.ssh/id_rsa

Then simply:

ssh my-remote-dev

One-off SSH without Config

If you don't want to modify ssh config:

ssh -o "ProxyCommand=aitun ssh-proxy %h %p" [email protected]

CLI Reference

The aitun command (installed via pip install aitun) accepts these flags:

Flag Description
-p PORT Local service port (default: 8080)
-k TOKEN Auth token for registered subdomain (required for TCP forwarding)
--host HOST Local service address (default: localhost)
--tcp-ports PORTS TCP forwarding ports, comma-separated (e.g., 22,3306; requires -k)
--p2p Enable P2P direct connection (default: enabled)
--no-p2p Disable P2P, force server relay mode
--daemon Run as background daemon
--stop Stop running daemon

Subcommand:

Command Description
aitun ssh-proxy \x3Chost> [port] SSH ProxyCommand — wraps SSH in TLS for SNI routing

Notes

  • TCP forwarding (required for SSH) requires a registered account and -k token — free tunnels do not support TCP
  • Register at https://aitun.cc to get an auth token
  • All traffic is encrypted end-to-end: SSH inside TLS inside the aitun tunnel
  • ProxyCommand is required — plaintext SSH is not supported. Add ProxyCommand aitun ssh-proxy %h %p to your ~/.ssh/config
  • If the requested port (e.g., 22) is occupied on the server, a port from the 7000-7999 range will be automatically assigned
  • P2P mode reduces latency for SSH sessions; use --no-p2p only if P2P connection fails
  • For security, ensure your SSH server uses key-based authentication (disable password auth if possible)
  • Consider using fail2ban or similar tools to protect against brute-force attacks on your SSH server
  • The tunnel stays active as long as the aitun process runs; use --daemon for persistent background operation
  • Subdomains remain active for 30 days of inactivity; use heartbeat to renew
安全使用建议
Install only if you intentionally want remote SSH access to this machine. Before using it, harden SSH with key-only login, disable root/password authentication where possible, keep a way to stop the tunnel, and prefer the one-off ProxyCommand unless you want a lasting ~/.ssh/config rule.
能力评估
Purpose & Capability
The skill’s stated purpose is to publish SSH access over an AiTun TCP tunnel, and the instructions consistently support that purpose with SSH daemon checks, tunnel setup, and SSH-over-TLS client routing.
Instruction Scope
The instructions are user-directed and scoped to local SSH/TCP forwarding, but they involve high-impact remote access and should make the public attack-surface warning more prominent.
Install Mechanism
The declared install mechanism is a Python/uv install of the aitun CLI, matching the documented commands and required binary; no unrelated installers or hidden scripts are present.
Credentials
Installing or starting openssh-server, enabling remote login, and forwarding port 22 are proportionate to an SSH tunnel skill, but users should only do this on hardened systems.
Persistence & Privilege
The tunnel runs until stopped, optional daemon mode is disclosed, and the SSH config change is persistent; the artifact also provides a one-off ProxyCommand alternative, but the persistence warning could be clearer.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install sshtunnel
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /sshtunnel 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v4.7.0
v4.7.0: SSH-over-TLS - plaintext SSH removed, ProxyCommand required, perfect multi-tenant SNI routing
v1.1.0
Add range-based port allocation fallback (7000-7999) when requested port is occupied
v1.0.0
Initial release: Expose local SSH servers to the public internet using aitun TCP tunnel. - Provides a step-by-step guide to expose SSH servers behind NAT/firewall using aitun. - Supports multiple port forwarding (e.g., SSH + MySQL). - Requires Python 3 and the aitun package. - Explains secure usage, including authentication and best practices. - Includes CLI reference, advanced use cases, and cleanup steps. - Useful for development, server management, and remote debugging without VPN or public static IP.
元数据
Slug sshtunnel
版本 4.7.0
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 3
常见问题

Sshtunnel 是什么?

Expose local SSH servers to the public internet via aitun TCP tunnel with SSH-over-TLS routing. Each subdomain gets its own SSH endpoint on port 22 with perf... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 54 次。

如何安装 Sshtunnel?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install sshtunnel」即可一键安装,无需额外配置。

Sshtunnel 是免费的吗?

是的,Sshtunnel 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Sshtunnel 支持哪些平台?

Sshtunnel 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Sshtunnel?

由 SamAI.cc(@ctz168)开发并维护,当前版本 v4.7.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论