github-starred/frp
2
0
Fork 0
mirror of https://github.com/fatedier/frp.git synced 2026-05-15 08:05:49 -06:00
Code Issues 40 Projects Packages Wiki Activity Actions 1

[GH-ISSUE #2565] 明文模式下 token 的運作方式安全性 #2039

New issue
Closed
opened 2026-05-05 13:19:01 -06:00 by gitea-mirror · 4 comments
gitea-mirror commented 2026-05-05 13:19:01 -06:00
Owner
Copy link

Originally created by @KusakabeShi on GitHub (Sep 5, 2021).
Original GitHub issue: https://github.com/fatedier/frp/issues/2565

Describe the feature request

您好,想請教token是如何在frps和frpc之間傳遞的?

我不擔心數據被竊聽,因為ssh已經有加密了。所以我想讓frp運作在明文模式

但是如果frp運作在明文模式,token是否會以明文傳輸呢?
這讓是否能讓中間人攔截我的token,假冒我的身分以frpc連接我的frps呢?

還是說會有挑戰的過程,伺服器產生一次性challange(或是使用jwt),並計算 md5(challange+token)
把challange明文傳輸給frpc。 frpc也計算 md5(challange+token) ,回傳給frps
token完全沒有被傳輸到

因為文檔沒有提到token如何被處裡的,想來問問

Describe alternatives you've considered

No response

Affected area

  • Docs
  • Installation
  • Performance and Scalability
  • Security
  • User Experience
  • Test and Release
  • Developer Infrastructure
  • Client Plugin
  • Server Plugin
  • Extensions
  • Others
Originally created by @KusakabeShi on GitHub (Sep 5, 2021). Original GitHub issue: https://github.com/fatedier/frp/issues/2565 ### Describe the feature request 您好,想請教token是如何在frps和frpc之間傳遞的? 我不擔心數據被竊聽,因為ssh已經有加密了。所以**我想讓frp運作在明文模式** 但是如果frp運作在明文模式,**token是否會以明文傳輸呢?** 這讓是否能讓中間人攔截我的token,假冒我的身分以frpc連接我的frps呢? 還是說會有挑戰的過程,伺服器產生一次性challange(或是使用jwt),並計算 md5(challange+token) 把challange明文傳輸給frpc。 frpc也計算 md5(challange+token) ,回傳給frps token完全沒有被傳輸到 因為文檔沒有提到token如何被處裡的,想來問問 ### Describe alternatives you've considered _No response_ ### Affected area - [X] Docs - [ ] Installation - [ ] Performance and Scalability - [X] Security - [ ] User Experience - [ ] Test and Release - [ ] Developer Infrastructure - [ ] Client Plugin - [ ] Server Plugin - [ ] Extensions - [ ] Others
gitea-mirror 2026-05-05 13:19:01 -06:00
gitea-mirror commented 2026-05-05 13:19:04 -06:00
Author
Owner
Copy link

@fatedier commented on GitHub (Sep 6, 2021):

你的猜测是正确的,传输的时候会用 token + timestamp 做 hash 运算。

<!-- gh-comment-id:913387225 --> @fatedier commented on GitHub (Sep 6, 2021): 你的猜测是正确的,传输的时候会用 token + timestamp 做 hash 运算。
gitea-mirror commented 2026-05-05 13:19:05 -06:00
Author
Owner
Copy link

@KusakabeShi commented on GitHub (Sep 6, 2021):

所以就算是明文傳輸模式,也不用擔心黑客攔截token,假冒我的frpc,把流量導向黑客的frpc上,對吧?

對了,hash(token + timestamp),可能有重放攻擊,想請教針對這點有做防禦嗎?

<!-- gh-comment-id:913579210 --> @KusakabeShi commented on GitHub (Sep 6, 2021): 所以就算是明文傳輸模式,也不用擔心黑客攔截token,假冒我的frpc,把流量導向黑客的frpc上,對吧? 對了,hash(token + timestamp),可能有重放攻擊,想請教針對這點有做防禦嗎?
gitea-mirror commented 2026-05-05 13:19:06 -06:00
Author
Owner
Copy link

@fatedier commented on GitHub (Sep 7, 2021):

更多的细节建议阅读代码了解。

<!-- gh-comment-id:913949122 --> @fatedier commented on GitHub (Sep 7, 2021): 更多的细节建议阅读代码了解。
gitea-mirror commented 2026-05-05 13:19:06 -06:00
Author
Owner
Copy link

@github-actions[bot] commented on GitHub (Oct 8, 2021):

Issues go stale after 30d of inactivity. Stale issues rot after an additional 7d of inactivity and eventually close.

<!-- gh-comment-id:938248450 --> @github-actions[bot] commented on GitHub (Oct 8, 2021): Issues go stale after 30d of inactivity. Stale issues rot after an additional 7d of inactivity and eventually close.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
dev
new
master
copilot/review-pull-request-5198
v0.68.1
v0.68.0
v0.67.0
v0.66.0
v0.65.0
v0.64.0
v0.63.0
v0.62.1
v0.62.0
v0.61.2
v0.61.1
v0.61.0
v0.60.0
v0.59.0
v0.58.1
v0.58.0
v0.57.0
v0.56.0
v0.55.1
v0.55.0
v0.54.0
v0.53.2
v0.53.1
v0.53.0
v0.52.3
v0.52.2
v0.52.1
v0.52.0
v0.51.3
v0.51.2
v0.51.1
v0.51.0
v0.50.0
v0.49.0
v0.48.0
v0.47.0
v0.46.1
v0.46.0
v0.45.0
v0.44.0
v0.43.0
v0.42.0
v0.41.0
v0.40.0
v0.39.1
v0.39.0
v0.38.0
v0.37.1
v0.37.0
v0.36.2
v0.36.1
v0.36.0
v0.35.1
v0.35.0
v0.34.3
v0.34.2
v0.34.1
v0.34.0
v0.33.0
v0.32.1
v0.32.0
v0.31.2
v0.31.1
v0.31.0
v0.30.0
v0.29.1
v0.29.0
v0.28.2
v0.28.1
v0.28.0
v0.27.1
v0.27.0
v0.26.0
v0.25.3
v0.25.2
v0.25.1
v0.25.0
v0.24.1
v0.24.0
v0.23.3
v0.23.2
v0.23.1
v0.23.0
v0.22.0
v0.21.0
v0.20.0
v0.19.1
v0.19.0
v0.18.0
v0.17.0
v0.16.1
v0.16.0
v0.15.1
v0.15.0
v0.14.1
v0.14.0
v0.13.0
v0.12.0
v0.11.0
v0.10.0
v0.9.3
v0.9.2
v0.9.1
v0.9.0
v0.8.1
v0.8.0
v0.7.0
v0.6.0
v0.5.0
v0.3.0
v0.2.0
v0.1.0
Labels
Clear labels   
In Progress

   
WIP

   
WaitingForInfo

   
bug

   
doc

   
duplicate

   
easy

   
enhancement

   
future

   
help wanted

   
invalid

   
lifecycle/stale

   
need-issue-template

   
need-usage-help

   
no plan

   
proposal

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
todo
No labels
In Progress
WIP
WaitingForInfo
bug
doc
duplicate
easy
enhancement
future
help wanted
invalid
lifecycle/stale
need-issue-template
need-usage-help
no plan
proposal
pull-request
question
todo
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/frp#2039
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?