The spiped secure pipe daemon
Spiped (pronounced "ess-pipe-dee") is a utility for creating symmetrically encrypted and authenticated pipes between socket addresses, so that one may connect to one address (e.g., a UNIX socket on localhost) and transparently have a connection established to another address (e.g., a UNIX socket on a different system). This is similar to 'ssh -L' functionality, but does not use SSH and requires a pre-shared symmetric key.
Spiped uses strong and well-understood cryptographic components: The initial key negotiation is performed using HMAC-SHA256 and an authenticated Diffie-Hellman key exchange over the standard 2048-bit "group 14"; following the completion of key negotiation, packets are transmitted encrypted with AES-256 in CTR mode and authenticated using HMAC-SHA256. The simplicity of the code — about 6000 lines of C code in total, of which under 2000 are specific to spiped (the rest is library code originating from kivaloo and Tarsnap) — makes it unlikely that spiped has any security vulnerabilities.
On the author's 2.5 GHz Intel Core 2 laptop, spiped operates at approximately 300 Mbps.
Example usage
To set up an encrypted and authenticated pipe for sending email between two systems (in the author's case, from many systems around the internet to his central SMTP server, which then relays email to the rest of the world), one might run
dd if=/dev/urandom bs=32 count=1 of=keyfile spiped -d -s '[0.0.0.0]:8025' -t '[127.0.0.1]:25' -k keyfile
on a server and after copying keyfile to the local system, run
spiped -e -s '[127.0.0.1]:25' -t $SERVERNAME:8025 -k keyfile
at which point mail delivered via localhost:25
on the
local system will be securely transmitted to port 25 on the server
(which is configured to relay mail which arrives from 127.0.0.1 but
not from other addresses).
You can also use spiped to protect SSH servers from attackers: Since data is authenticated before being forwarded to the target, this can allow you to SSH to a host while protecting you in the event that someone finds an exploitable bug in the SSH daemon — this serves the same purpose as port knocking or a firewall which restricts source IP addresses which can connect to SSH. On the SSH server, run
dd if=/dev/urandom bs=32 count=1 of=/etc/ssh/spiped.key spiped -d -s '[0.0.0.0]:8022' -t '[127.0.0.1]:22' -k /etc/ssh/spiped.key
then copy the server's /etc/ssh/spiped.key
to
~/.ssh/spiped_HOSTNAME_key
on your local system and add
the lines
Host HOSTNAME ProxyCommand spipe -t %h:8022 -k ~/.ssh/spiped_%h_key
to the ~/.ssh/config
file. This will cause ssh
HOSTNAME
to automatically connect using the spipe client via
the spiped daemon; you can then firewall off all incoming traffic on
port tcp/22.
The spiped project
Development of spiped takes place in the spiped git repository.
Mailing list
The spiped
secure pipe daemon is discussed on the
[email protected]
mailing list.
Official releases
The following versions of spiped are available:
Version | Release date | SHA256 hash |
spiped 1.6.2 | 2021-12-24 | 05d4687d12d11d7f9888d43f3d80c541b7721c987038d085f71c91bb06204567 |
spiped 1.6.1 | 2020-04-05 | 8d7089979db79a531a0ecc507b113ac6f2cf5f19305571eff1d3413e0ab33713 |
spiped 1.6.0 | 2017-04-29 | e6f7f8f912172c3ad55638af8346ae7c4ecaa92aed6d3fb60f2bda4359cba1e4 |
spiped 1.5.0 | 2015-02-22 | b2f74b34fb62fd37d6e2bfc969a209c039b88847e853a49e91768dec625facd7 |
spiped 1.4.2 | 2014-10-11 | dcb668f98a6bd761ff542f7079034f828f792259300eeb16aab53b687a805bde |
spiped 1.4.1 | 2014-09-07 | 0eeb4b8a94df985cfb60f452ced75f30509105a120ca09f740507c496c15c4f8 |
spiped 1.4.0 | 2014-08-28 | d8fa13a36905337bec97e507e0689f7bbc9e5426b88d588f3ddd3d6c290dcf5f |
spiped 1.3.1 | 2013-04-13 | 8a58a983be460b88ed5a105201a0f0afacb83382208761837a62871dcca42fee |
spiped 1.3.0 | 2013-04-06 | 6f3d512dbdc8e5e893fb533908d4f8bcd1fd23db783f63c7bc37cf5660c139d0 |
spiped 1.2.2 | 2012-11-15 | a9eb4681e4ccd5d86b8a2d4e16785db8ba10d8a9f7f732485511fd4b92dff1ec |
spiped 1.2.1 | 2012-08-31 | 4e2e532b2a7df8e9a771c27a1bc2889f0d834e986d4f4a02a2a12174560ea44b |
spiped 1.2.0 | 2012-08-30 | 46fb94da62bf1f074513047519f2d4f5faf103e5b8555e14a375a42b74508a6b |
spiped 1.1.0 | 2011-09-10 | b727b902310d217d56c07d503c4175c65387ff07c9cd50a24584903faf9f3dc3 |
spiped 1.0.0 | 2011-07-04 | 82df05533bf8d8580f57e6dbec7d7e2966eabd3ea7a0a0bb06f87000947969a3 |
Third-party helper scripts
Warning
Software deployment tools
Scripts have been written to deploy spiped to various configuration management and software deployment tools.
- Spiped Docker image: Spiped module for Docker; part of the Docker Official Images.