> Beam cannot support end-to-end encrypted buffers. While data is encrypted during transfer to and from the Beam host, it’s decrypted temporarily before being re-encrypted and forwarded. The host only holds a small buffer (typically 1 kB) of unencrypted data at any time and never stores the full stream. For extra security, you can encrypt your files or pipes before sending them through Beam.
With a little effort, beam is as trustable as any (if not more) of its alternatives. And, that extra effort is a result of the design goal of not having to force a binary installation.
Plus, you can always self host beam, it's not that complicated.
After reading the readme I’m confused what the advantage is over just regular piping.
‘’’
command-on-server1 | ssh user@server2 'command-on-server2'
‘’’
Beam lets you do what you described even when both the machines are isolated and not reachable from one another. All you need is ssh clients on both the machines.
That’s not clear in the readme. It might be worth explicating stating that this uses the SSH protocol but is designed to work on hosts that either dont have OpenSSH enabled or environments where you don’t control the OpenSSH config.
Given the current readme, I was left wondering the same as the GP too.
But if you have ssh clients on both machines, you can use port forwarding to allow machine2 to connect to machine1 via ssh. Or you can connect both machines to the "SSH stun server" (which is something like the beam host if I understand correctly) and let them connect through that.
I mean, I'm not bashing beam, but it's mostly syntactic sugar, not something that provides some actual new functionality, is that right?
You can do this using a regular SSH server and some elbow grease. This is meant to be a simple setup and forget system that is relatively locked down and doesn't expose any more functionality than strictly necessary.
I think you can turn this (or any equivalent service like ssh-j.com) into an end-to-end encrypted option by relaying an SSH connection over which you send the data, instead of relaying the data.
Example:
# receiver
ssh top-secret@ssh-j.com -N -R ssh:22:localhost:22
socat UNIX-RECV:/tmp/foobar - | my command
# sender
my-command | ssh -J top-secret@ssh-j.com ssh socat - UNIX-SENDTO:/tmp/foobar
(log in with your creds to receiver host, enjoy end-to-end encryption)
Yup, wormhole and portal are better in most aspects. Beam is helpful when you have novel constraints like not being able to install arbitrary binaries, or if you have the need to transfer streams and not just files, or maybe even pub key based white-listing of access.
@kdsme9 I think this is great and you've done a great work putting it together and sharing it with us for free.
Using the public key to match streams on both ends is super clever. I will start using this since it fills a need I have almost every day. I work with many small AWS instances and sometimes I just need to copy a small file or something to them without having to install a whole new OS like some short sighted people here are suggesting.
You also shipped your product, which is something only ~1% of developers actually do, so congrats.
Forget about the naysayers and thank you for creating this, it will make my work easier :).
Edit: Downvote me all you want, I still like this thing.
I have used https://pipe.pico.sh/ for this. pico.sh also has a bunch of other SSH-accessible services, e.g. pastes, and paid (or free if self-hosted) port tunneling.
I don't see any advantage over plain "-o 'ProxyJump box.in.the.middle'"? I guess this is supposed to buffer things? But then again, that's what "tail -f" is for…
Given a local machine and two remote machines: ssh remote2 -J remote1. This will connect to remote1 as a normal SSH connection, but then port forward a new connection to remote2 via that connection. Traffic leaving localhost is double-encrypted, and remote1 cannot see the data.
Disadvantage: remote1 must be able to connect to remote2. In this (ssh.beam.camp) software, remote2 can be in a place where accepting incoming connections is not possible.
This is meant for cases when the machines are isolated, for example, when you attach to a remote container and want to download a file from it to your machine.
> Beam cannot support end-to-end encrypted buffers. While data is encrypted during transfer to and from the Beam host, it’s decrypted temporarily before being re-encrypted and forwarded. The host only holds a small buffer (typically 1 kB) of unencrypted data at any time and never stores the full stream. For extra security, you can encrypt your files or pipes before sending them through Beam.
With a little effort, beam is as trustable as any (if not more) of its alternatives. And, that extra effort is a result of the design goal of not having to force a binary installation.
Plus, you can always self host beam, it's not that complicated.
On Receiving Server
And then on sending serverGiven the current readme, I was left wondering the same as the GP too.
I mean, I'm not bashing beam, but it's mostly syntactic sugar, not something that provides some actual new functionality, is that right?
You can do this using a regular SSH server and some elbow grease. This is meant to be a simple setup and forget system that is relatively locked down and doesn't expose any more functionality than strictly necessary.
Example:
This thing is "already there" and it takes two commands. I like it a lot, tbh.
Using the public key to match streams on both ends is super clever. I will start using this since it fills a need I have almost every day. I work with many small AWS instances and sometimes I just need to copy a small file or something to them without having to install a whole new OS like some short sighted people here are suggesting.
You also shipped your product, which is something only ~1% of developers actually do, so congrats.
Forget about the naysayers and thank you for creating this, it will make my work easier :).
Edit: Downvote me all you want, I still like this thing.
More confused than anything else…
Disadvantage: remote1 must be able to connect to remote2. In this (ssh.beam.camp) software, remote2 can be in a place where accepting incoming connections is not possible.
New meaning of the word isolated