npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

iotssh

v1.1.1

Published

SSH to an IoT edge device via AWS IoT Secure Tunneling without localproxy/Docker

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

sidoraressidorares

Keywords

Readme

iotssh

CLI to SSH into an IoT edge device without Docker or localproxy. It implements the AWS IoT Secure Tunneling source WebSocket client in Node.js and runs a full SSH session over the tunnel with ssh2.

The edge device must run a destination-side tunnel agent — typically the Greengrass aws.greengrass.SecureTunneling component (or a custom equivalent) that starts localproxy in destination mode and forwards to SSH on port 22. This tool replaces only the client-side localproxy; the device-side setup is unchanged.

How it works

End-to-end, the CLI wraps these steps:

  1. Create tunnel — Call OpenTunnel via the AWS SDK, targeting the IoT thing name and requesting services (SSH, HTTP, HTTPS). AWS notifies the device over MQTT to start its destination localproxy.
  2. Get source access tokenOpenTunnel returns a sourceAccessToken (outbound connection credential for the client) and tunnelId.
  3. Connect WebSocket — Open a WSS connection to data.tunneling.iot.<region>.amazonaws.com in source mode, passing the token in the access-token header and subprotocol aws.iot.securetunneling-3.0.
  4. Create duplex stream — Wrap the WebSocket in TunnelStream, a Node.js Duplex that encodes/decodes v3 protobuf frames (SERVICE_IDS, STREAM_START, DATA, etc.). This replaces the TCP socket that source localproxy would expose on localhost.
  5. Create SSH connection — Pass that stream to ssh2 as sock and run a normal SSH handshake and interactive shell over the tunneled byte stream.

On exit, the CLI closes the WebSocket and calls CloseTunnel.

Dependencies

| Package | Role | |---------|------| | @aws-sdk/client-iotsecuretunneling | OpenTunnel / CloseTunnel | | ws | Source WebSocket to data.tunneling.iot.<region>.amazonaws.com | | protobufjs | Tunnel v3 framing (V3WebSocketProtocolGuide.md) | | ssh2 | SSH client (handshake, PTY shell) over a custom stream |

Prerequisites

  • Node.js 18+
  • AWS credentials with iot:OpenTunnel / iot:CloseTunnel
  • Edge device online with Greengrass healthy and aws.greengrass.SecureTunneling (or similar destination tunnel component) running

Install

Install globally so iotssh is on your PATH:

npm install -g iotssh

From a clone:

npm install -g .

Usage

iotssh <THING_NAME>

# options
iotssh my-edge-device --user root --region ap-southeast-2 --wait 6

# password auth
export IOTSSH_PASSWORD='your-password'
iotssh my-edge-device

# or
iotssh my-edge-device --password 'your-password'

Without a global install, use npx — it runs the same iotssh bin entry as a local install:

npx iotssh my-edge-device
npx iotssh my-edge-device --user root --region ap-southeast-2

When developing from a clone, npm install then npx iotssh uses the local package (no publish required).

SSH authentication

The client only enables methods you configure:

| Method | Config | |--------|--------| | Password | IOTSSH_PASSWORD or --password | | Private key file | IOTSSH_KEY_PATH or --identity | | ssh-agent | IOTSSH_USE_AGENT=1 or --use-agent | | Keyboard-interactive | --try-keyboard (uses the same password for prompts) |

If none are set, ssh2 may still try keys from your ssh-agent. Host key algorithms include legacy ssh-rsa for embedded SSH servers such as Dropbear.

Protocol note

Destination localproxy on the device still handles the device-side WebSocket and TCP bridge to SSH. This tool reimplements only the client-side localproxy behavior (WebSocket + protobuf + stream bridge), as documented in V3WebSocketProtocolGuide.md.