SSH over websockets

Phil Lello phil at dunlop-lello.uk
Fri Jan 30 18:39:05 AEDT 2015


On 29 Jan 2015 21:53, "Ángel González" <keisial at gmail.com> wrote:
>
> On 29/01/15 21:15, Alex Bligh wrote:
>>
>> Be frightened:
>>
https://chrome.google.com/webstore/detail/secure-shell/pnhechapfaindjhompbnflcldabbghjo?hl=en
>>
> That's a ssh client implemented in chromium, not a web server acting as
sshd. However…
> «Secure Shell also knows how to connect to an HTTP-to-ssh relay that was
built inside Google.  Unfortunately
> that relay isn't open source, and Google
doesn't maintain a public pool of relays»
> --
http://git.chromium.org/gitweb/?p=chromiumos/platform/assets.git;a=blob;f=chromeapps/nassh/doc/faq.txt
>
>
>
>
> Phil wrote:
>>
>> My main motivation is that it is generally easier to route HTTP across
>> multiple corporate firewalls than getting ports opened for ssh (even if
it
>> is an embedded sshd such as in gerrit rather than an actual shell).
>
> It will depend on how picky the firewalls are. You may prefer to embed it
into a https stream,
> such as using a proxy command of socat - openssl-connect:%h:%p
>
That's certainly worth considering. However, my focus when posting was more
motivated by defining a standard for ssh - over - web sockets, such as
ws://host/path, along with a standard (as opposed to proxy command)
implementation.

I think in intranet environments tunneling over HTTP is good so that
firewalls can inspect session setup/endpoints; in public environments I'd
go for HTTPS to prevent precisely that.

So, would a patch to the client to support hostnames as ws:// or wss:// be
a welcome addition? If so, should a reference server be included too, given
that I would be doing this as an apache module?

Phil


More information about the openssh-unix-dev mailing list