[RFC]: OpenSSH vpn lists

William Ahern william at 25thandClement.com
Thu Mar 22 17:30:06 EST 2007

On Wed, Mar 21, 2007 at 05:14:50PM -0400, John Richard Moser wrote:
> I've got an idea for using OpenSSH to establish a sort of internal
> secure network, where everything going back and forth between certain
> services (i.e. MySQL, how horrid) is encrypted even if the
> application/server doesn't support launching the service over SSL.  This
> has some issues; so I'm probing for ideas on a new feature that would
> resolve them and make this easier.
> Let's hypothesize that you have 100 database servers serving MySQL
> (TCP:3306) and MS SQL 2005 (TCP:1433).  These are as follows:
> 10.10.30.[50-100]:3306 - MySQL
> 10.10.40.[75-125]:1433 - MS SQL 2000/2005
> To deal with this, you set up on each machine 100 virtual network
> adapters that don't route outside:

Or, you simply patch OpenSSH to support domain socket forwarding. Then you
can have meaningfully named tunnels which can be used by local applications
in a more consistent and purposeful manner.

> Not sure.. anyone have any thoughts?

I do this extensively. I ruled juggling so many ports as out of the question
entirely. Not only was it ugly and hard to follow, it was also very error
prone. If for some reason you can bind to a particular port, then what? With
domain sockets you can at least remove them/override them.

- Bill

More information about the openssh-unix-dev mailing list