chris-belcher
is there a way to restrict and authenticate client?
I'm thinking to run cloud-based full node together with EPS. As such I like to restrict the connection to my own clients/wallets. Is this possible?
Discussion on this topic here: https://github.com/chris-belcher/electrum-personal-server#exposure-to-the-internet If anything is unclear feel free to ask more questions.
Thanks for the pointer. I took a look, but unfortunately none of the measures is ideal for my case.
- IP whitelisting : my client machine has dynamic IP address. Not suitable.
- SSH tunneling : my client machine currently have outgoing 22 port disabled (for security)
Is it possible to set up some kind of user/passwd pair? Or have client side SSL certification and authentication?
That's one of the possible further areas for development: https://github.com/chris-belcher/electrum-personal-server#further-ideas-for-work Both the ideas you mentioned require adding new features to the Electrum wallet client itself. They are good ideas though, I don't know how else you'd do it. They might not help you right now because they require writing and testing new code.
Have you considered setting up a tor hidden service that redirects to port 22, and then connecting SSH to that? Then you don't need open ports which reduce security. This is what I do myself, the ssh line I use is:
ssh -o ProxyCommand="nc -x 127.0.0.1:9150 %h %p" -p 12345 [email protected] -L 50002:localhost:50002. In this example the onion listens on port 12345 and then redirects to port 22. OnionsV3 don't get leaked either, so unless you tell someone your onion they'll have no idea it exists or listens for ssh. And for greater security use key-based certificate authentication rather than username/password.
Thanks for your reply. I understand client authentication will need Electrum side change, and may not come quickly.
I eventually decided to use ssh tunneling with key/certificate. Since my server is has fixed IP address, opening port 22 to a specific IP address is not a big loss in security. Thanks for good work!
A quick tip for people using ssh+tor - you can add this to your ~/.ssh/config file to automatically proxy all .onion hosts via tor:
Host *.onion
ProxyCommand /bin/nc -xlocalhost:9150 -X5 %h %p
Just for the completenss and in case someone else looks up here later, I attached my final solution below.
A few explanation points:
- I did not go through Tor network as designated server should be trusted
- SSH auth supports 3 methods : plain word, default key and alternative key/pem file
- ssh use "-fN" option to fork into background without executing "sleep" command
- option "-o 'StrictHostKeyChecking=no'" is to prevent failing to ssh into a new host.
My project is to run Electrum wallet from an immutable USB ISO image. I'm happy enough to call it v1.0 release, and more importantly, to put my own money in it. If you are interested, take a look at https://github.com/monkey-jsun/eroas. And thanks again for the great EPS project!
function setup_ssh_tunnel() {
ret=$(netstat -tulpn 2>/dev/null | grep 50002)
if [[ ! -z $ret ]]; then
echo "SSH tunnel is already set up!"
return
fi
if [[ $SSH_AUTH_METHOD == 1 ]]; then
cmd="sshpass -p $SSH_AUTH_DATA ssh -fN -o 'StrictHostKeyChecking=no' -L 127.0.0.1:50002:localhost:$SERVER_PORT $SSH_USER@$SERVER_IP"
elif [[ $SSH_AUTH_METHOD == 2 ]]; then
cmd="ssh -fN -o 'StrictHostKeyChecking=no' -L 127.0.0.1:50002:localhost:$SERVER_PORT $SSH_USER@$SERVER_IP"
elif [[ $SSH_AUTH_METHOD == 3 ]]; then
cmd="ssh -fN -i $SSH_AUTH_DATA -o 'StrictHostKeyChecking=no' -L 127.0.0.1:50002:localhost:$SERVER_PORT $SSH_USER@$SERVER_IP"
else
myerror "Unknown SSH auth method : $SSH_AUTH_METHOD"
fi
echo "Setting up SSH tunnel ... "
$cmd
if [[ $? != 0 ]]; then
myerror "Failed to set up SSH tunnel : $cmd"
fi
}