SSH over websockets

Phil Lello phil at dunlop-lello.uk
Fri Jan 30 20:50:25 AEDT 2015


On Fri, Jan 30, 2015 at 8:28 AM, Michael Felt <aixtools at gmail.com> wrote:

> I must be missing the point here somehow. From my simple mind I think that
> two things would be needed - first a mod, e.g., mod_sshd, or better an
> addition to mod_auth and mod_proxy so that a URL could be used to initiate
> contact to an sshd server elsewhere.
> The mod_auth part could/should be used to verity the credentials to used -
> basically setting up the VPN between ssh and httpd as ssh; the httpd server
> would setup it's own separate connection with the target sshd - with
> mod_proxy_logic - to verify that the httpd server can and will make a
> connection. Lastly, to prevent a continous man in the middle the original
> ssh client would make a second connection to establish ciphers, mac and kex
> via the two connections using the httpd as man-in-the-middle.
>

I may have explained myself poorly. The proposed apache mod would only
exist as a reference implementation to verify that the client was working
correctly. I'm not thinking of supporting proxying from a webserver, other
than through traditional ssh netcat-style proxying. This would simply be a
mechanism to transport ssh traffic over websockets instead of vanilla TCP,
to allow ssh key-based authentication of a websocket connection. The
proposed use case is only for when the webserver is presenting an
application that wants ssh key-based authentication. Part of my motivation
is that I'd like to expose git or gerrit over websockets, and since these
already support ssh key-based authentication. rsync over websockets could
be good too.

As far as the security/political implications go, I fully agree it might
not work from a PR perspective, but I don't think this creates any more
issues than allowing sshd to run as a SOCKS proxy, or dynamically forward
inbound or outbound TCP.

For the reference implementation itself, I was thinking of using
https://github.com/disconnect/apache-websocket and providing a sshd plugin.

Phil


More information about the openssh-unix-dev mailing list