Deep dive

From remote debugging to data discovery, learn how Formant works from top to bottom.

    Deep dive into SSH

    Formant's SSH implementation


    Before reading further on this page, please make sure that you read the overview of SSH and configuring SSH.

    While our goal is to support SSH connectivity into the robot, the lowest layer problem we are solving for the customer is NAT traversal. In addition, the channel the SSH data flows over is primarily peer-to-peer, avoiding Formant cloud and infrastructure. Cracking peer-to-peer NAT traversal is done using a subset of WebRTC protocols and methods, specifically ICE and data channels

    In essence, we are providing a peer-to-peer local port forwarding service where either or both of the peers are behind NAT devices. We are then emphasizing the use of this service for SSH connectivity. In order to support local port forwarding over a WebRTC stack, we need a software component on the client-side. This piece of software is responsible for listening on a local TCP socket, signaling to the agent when a connection is accepted client-side, and passing the data for said connection over a peer-to-peer communications channel to the Formant agent. This functionality is provided as part of a tool called fctl. 

    OpenSSH ProxyCommand

    ProxyCommand is an OpenSSH configuration option that leverages an external process to connect to the remote host. The SSH client writes to the process’ stdin and reads from its stdout. The ProxyCommand can be anything you want, so long as it adheres to the following:

    • stdin and stdout are reserved for data, they should not be interactive (use stderr for logs)
    • the proxy transport must be reliable with in-order guarantee (tcp-like)

    ProxyCommand is commonly used to jump through a bastion host to access another host that is not directly accessible. An example of doing this in one command would be:

       ssh -o ProxyCommand="ssh -W %h:%p bastion-host" remote-host

    The %h and %p are tokens that expand to the host and port that were passed to the outer ssh command. The -W flag tells the inner ssh channel to proxy stdin/out. Taking this example and assuming our ProxyCommand is a new tool called fctl accepting three arguments (device, remote host, and remote port), our command would look like this:

      ssh -o ProxyCommand="fctl %h %p" remote-host 
    © 2020 Formant • 1999 Bryant St · San Francisco, CA 94110