openssh as a proxy: ForceCommand limitations & speed penalty

Amr Saad as.amr.saad at gmail.com
Mon Feb 21 05:22:41 EST 2011


I've hit two roadblocks while using openssh -D as a general proxy:

- openssh doesn't have an internal-null, so the options are to either
give the user account a real shell and ForceCommand, or set the shell
to something like /bin/cat and ChrootDirectory. I don't want
proxy-only accounts to have a shell at all.

- Comparing mini-httpd SSL/aes256 vs mini-httpd (localhost/no SSL) via
openssh -D/aes256 shows a c. 20% speed penalty on urandom blocks. Is
this expected?


More information about the openssh-unix-dev mailing list