SSH over websockets

Phil Lello phil at
Fri Jan 30 18:39:05 AEDT 2015

On 29 Jan 2015 21:53, "Ángel González" <keisial at> wrote:
> On 29/01/15 21:15, Alex Bligh wrote:
>> Be frightened:
> That's a ssh client implemented in chromium, not a web server acting as
sshd. However…
> «Secure Shell also knows how to connect to an HTTP-to-ssh relay that was
built inside Google.  Unfortunately
> that relay isn't open source, and Google
doesn't maintain a public pool of relays»
> --;a=blob;f=chromeapps/nassh/doc/faq.txt
> Phil wrote:
>> My main motivation is that it is generally easier to route HTTP across
>> multiple corporate firewalls than getting ports opened for ssh (even if
>> is an embedded sshd such as in gerrit rather than an actual shell).
> It will depend on how picky the firewalls are. You may prefer to embed it
into a https stream,
> such as using a proxy command of socat - openssl-connect:%h:%p
That's certainly worth considering. However, my focus when posting was more
motivated by defining a standard for ssh - over - web sockets, such as
ws://host/path, along with a standard (as opposed to proxy command)

I think in intranet environments tunneling over HTTP is good so that
firewalls can inspect session setup/endpoints; in public environments I'd
go for HTTPS to prevent precisely that.

So, would a patch to the client to support hostnames as ws:// or wss:// be
a welcome addition? If so, should a reference server be included too, given
that I would be doing this as an apache module?


More information about the openssh-unix-dev mailing list