Package sshego is a golang libary that does secure port
forwarding over ssh.
Also `gosshtun` is a command line utility included here that
demonstrates use of the library; and may be useful standalone.
The intent of having a Go library is so that it can be used
to secure (via SSH tunnel) any other traffic that your
Go application would normally have to do over cleartext TCP.
While you could always run a tunnel as a separate process,
by running the tunnel in process with your application, you
know the tunnel is running when the process is running. It's
just simpler to administer; only one thing to start instead of two.
Also this is much simpler, and much faster, than using a
virtual private network (VPN). For a speed comparison,
consider  where SSH is seen to be at least 2x faster
The sshego library typically acts as an ssh client, but also
provides options to support running
an embedded sshd server daemon. Port forwarding
is the most typical use of the client, and
this is the equivalent
of using the standalone `ssh` client program
and giving the `-L` and/or `-R` flags.
If you only trust the user running your application and
not your entire host, you can further restrict access
by using either DialConfig.Dial() for a direct-tcpip connection, or
by using the unix-domain-socket support.
is equivalent to
with the addendum that `gosshtun` requires the use of passwordless
private `-key` file, and will never prompt you for a password at the keyboard.
This makes it ideal for embedding inside your application to
secure your (e.g. mysql, postgres, other cleartext) traffic. As
many connections as you need will be multiplexed over the
same ssh tunnel.
We check the sshd server's host key. We prevent MITM attacks
by only allowing new servers if `-new` is given.
You should give `-new` only once at setup time.
Then the lack of `-new` can protect you on subsequent runs,
because the server's host key must match what we were
given the first time.
means the following two network hops will happen, when a local browser connects to localhost:8888
where (a) takes place inside the previously established ssh tunnel.
Connection (b) takes place over basic, un-adorned, un-encrypted TCP/IP. Of
course you could always run `gosshtun` again on the remote host to
secure the additional hop as well, but typically -remote is aimed at the 127.0.0.1,
which will be internal to the remote host itself and so needs no encryption.