Name based SSH proxy

Kasper Dupont kasperd at
Mon May 25 17:39:27 AEST 2015

On 25/05/15 09.51, Damien Miller wrote:
> I'm not sure it should be part of the banner exchange, though there is
> no other trivial way to do it and maintain backwards compatibility.

Even if backwards compatibility wasn't a requirement,
I don't see any better way it could be done.

> I don't much like it because it reveals host identity information
> in the clear.

So does the DNS lookup performed before the TCP connection
is being established. So that can hardly be considered a

> A better way would be to exchange this after the connection has
> been keyed, but that would require extensive changes to the key
> exchange protocol.

How would that work? The proxy doesn't hold the server key.
The proxy doesn't even know which server holds the key.

> I don't really want to implement a half-measure in OpenSSH...

All the proxy needs to know is the hostname which was
previously send in clear to multiple DNS servers. And the
only concern you have brought up is that you don't want
this to be send in clear. I need a little bit of help to
understand what your concern is here.

I'll try to explain my usage scenario in a bit more detail.
I have a number of servers each running IPv6 only. Since
some clients will only have access to IPv4, I have deployed
a proxy on a dual stack host. But the proxy only has a
single IPv4 address. Clients connect to this address, and
the proxy performs a DNS lookup to find the IPv6 address
which this client wants to connect to. Currently this works

Kasper Dupont -- Rigtige mænd skriver deres egne backupprogrammer
#define _(_)"d.%.4s%."_"2s" /* This is my email address */

More information about the openssh-unix-dev mailing list