Name based SSH proxy

Damien Miller djm at mindrot.org
Mon May 25 09:51:41 AEST 2015


On Sat, 23 May 2015, Kasper Dupont wrote:

> I am working on a proxy which can be hosted on a single
> IP address and dispatch requests to different backends
> depending on which hostname the client used to connect to
> this IP address.
> 
> Currently such a proxy can be build to support HTTP, HTTPS,
> SMTP, and DNS. However SSH support is impossible due to
> the ssh client not sending the information such a proxy
> would need.
> 
> I am not the first to want such a proxy:
> http://serverfault.com/q/34552/214507
> However my searches only found people talking about it,
> and nobody doing anything about it.
> 
> I have attached a tiny patch for the openssh-client, which
> I believe does everything openssh would need to do in order
> to support this kind of proxies.
> 
> What are your thoughts on the attached patch?

I'm not sure it should be part of the banner exchange, though there is
no other trivial way to do it and maintain backwards compatibility.
I don't much like it because it reveals host identity information
in the clear.

A better way would be to exchange this after the connection has
been keyed, but that would require extensive changes to the key
exchange protocol.

I don't really want to implement a half-measure in OpenSSH...

-d


More information about the openssh-unix-dev mailing list