Name based SSH proxy

Kasper Dupont kasperd at kdxdx.23.may.2015.kasperd.net
Sun May 24 21:19:13 AEST 2015


On 23/05/15 14.42, Kasper Dupont wrote:
> I am working on a proxy which can be hosted on a single
> IP address and dispatch requests to different backends
> depending on which hostname the client used to connect to
> this IP address.
> 
> Currently such a proxy can be build to support HTTP, HTTPS,
> SMTP, and DNS. However SSH support is impossible due to
> the ssh client not sending the information such a proxy
> would need.
> 
> I am not the first to want such a proxy:
> http://serverfault.com/q/34552/214507
> However my searches only found people talking about it,
> and nobody doing anything about it.
> 
> I have attached a tiny patch for the openssh-client, which
> I believe does everything openssh would need to do in order
> to support this kind of proxies.
> 
> What are your thoughts on the attached patch?
> 
> Rationale behind the design of the patch:
> A name based SSH proxy will need to accept connections from
> clients and based on data send by the client choose a
> backend server to connect to.
> 
> The proxy will not be able to forward the version
> identification from the backend to the client until after
> it has connected to the backend. Thus the proxy will need
> to extract the hostname from the data send by the client
> before any version identification has been send in the
> other direction.
> 
> This leaves the version identification send from client
> to server as the only place such a proxy could possibly
> extract the hostname from. Thus the patch would have to
> extend the format of the version identification to include
> a hostname.
> 
> The version identification contains a comments field
> which at the moment is a free form field send by client
> and ignored by server. The intended purpose of this field
> is to aid in debugging, thus it just needed to be huamn
> redable.
> 
> Replacing the comments field with JSON formatted data will
> allow it to serve both purposes. I picked JSON because it
> is extensible and very simple.
> 
> The change amounts to modifying two lines of code in
> send_client_banner and passing the hostname as function
> argument where it is now necessary. No server side changes
> are needed.

I have put a copy of the patch here:
http://share.kasperd.net/openssh-6.6p1-sni.patch

And an example of how a proxy using this feature could be
implemented here:
http://share.kasperd.net/ssh-sni.py

-- 
Kasper Dupont -- Rigtige mænd skriver deres egne backupprogrammer
#define _(_)"d.%.4s%."_"2s" /* This is my email address */
char*_="@2kaspner"_()"%03"_("4s%.")"t\n";printf(_+11,_+6,_,12,_+2,_+7,_+6);


More information about the openssh-unix-dev mailing list