Protocol Version Exchange: the comments field and an idea how to use it

Hannes Hörl hannes.hoerl at snowreporter.com
Thu Nov 14 00:25:44 EST 2013


Hi.

Just to be clear:
This all is just my imaginary use case. Anyhow, I think you could call 
the thing I'm thinking about "poor man's SNI[0] for SSH" ...

So my question(s) rephrased:
Why isn't there anything like SNI for SSH? For security reasons? Is 
there no demand? Is there a better solution which I don't know of?

On 11/13/2013 01:25 PM, J's Mail wrote:

> What you describe can be configured today, with no development effort at
> all.
>   [...]
> client machine
> ssh_config:
> Host private_internal_machine
>    hostname 192.168.1.22
>    ProxyCommand ssh proxy -W %h:%p

If I understand this right this would make a ssh connection to the 
proxy, terminate it there - and make a second connection from the client 
machine to the backend machine, tunneled through the first ssh 
connection, right?
So anything needed (account, certs, ...) to authenticate a user on the 
backend machine needs to be setup and available on the proxy too.

> This particular configuration would require the proxy/gateway machine to
> have credentials configured for the desired accounts.  This may or may
> not be a stumbling block.

For my imaginary use case, the backend machines would be (virtual) hosts 
for customers, friends, ... where I have no idea about e.g. user 
accounts (or for that matter: I'd have no idea about anything going on 
on those hosts).
The only thing I know is, if there is a host with a certain hostname in 
my backend network or not. If so I'd like to pipe through the connection 
to the desired host. I don't want to have any ssh connection to the 
proxy machine itself.

Therefor my idea:
   the magical '-H'[1] switch (or some setting in the ssh_config).

$ ssh -H user at www.mybackendhost.com

www.mybackendhost.com resolves to the IP of the proxy (there is already 
HAProxy running for proxying HTTP ...). The '-H' option appends the 
hostname (www.mybackendhost.com again) to the "Protocol Exchange String"[2].

My proxy daemon then just has to listen to the first line (or first 255 
chars or whatever) and, based on this, can determine where the 
connection has to go. It doesn't have to have any idea about ssh, 
encryption, ... itself. After finding the desired host, my proxy daemon 
just has to sit between the client and the backend host and forward data 
coming from either side to the other - without knowing, what this data 
is actually about.


Thank you for your input anyways!

Bye, Hannes


[0] https://en.wikipedia.org/wiki/Server_Name_Indication

[1] I just picked '-H' because it seams to be unused by now

[2] for example:
SSH-2.0-OpenSSH_6.4p1 www.mybackendhost.com



More information about the openssh-unix-dev mailing list