sshd also talking HTTP

Dan Kaminsky dan at doxpara.com
Fri Jul 11 08:23:17 EST 2003


>There is a reason ports are registered for services. =)  Same reason you
>name your public server sane names like "www.mydomain.com" and
>"mail.mydomain.com".  Because it is what people expect.  Be it right or
>wrong.  The whole "lets pig pile everything on port 80/443" has become
>extreme lately.
>  
>
Yeah, welcome to the unplanned evolution of the net.  *sighs*

You can't argue a server with 40 open ports is good, so what does that 
leave you?

>As for IPSec people.. Not seen too much from them.  besides.. IPSec is
>much more complex and is not the end-all of all tools (nor should ssh be).
>  
>
SSH seems very complex compared to telnet, which is _obviously_ secure 
over IPSec :-)

>Personally my take is.. "UGH, yet another bloated feature.  My god our
>code base is already too big to understand when I'm drunk!" =)
>
>But I agree as a separate project in a generic form it may be semi-useful,
>but that is outside the scope of our focus.
>  
>
We agree -- although, concievably, we could accept some form of proxy 
notification from external proxies like the one I described.  There's 
lots of precedent for this -- squid proxies notify over HTTP who they're 
requesting pages for, and mail servers add to the headers which IP 
address sent them the mail to be delivered.  This could be much cleaner 
and more portable than the "transparent proxying" hack used by stunnel, 
and would involve little more than the proxy appending 
"ProxyFor=1.2.3.4" after the client banner (thus retaining compatibility 
with existing servers).

We would have to be careful to only believe such proxies if they came 
from localhost...

--Dan
www.doxpara.com





More information about the openssh-unix-dev mailing list