Name based SSH proxy
Kasper Dupont
kasperd at fzcpf.25.may.2015.kasperd.net
Wed May 27 17:40:39 AEST 2015
On 27/05/15 01.42, Ángel González wrote:
> Why do you want the hostname being used to "be visible to the administrator
> of the SSH server"?
In case the AAAA record used by the proxy to find the
server for some reason points to the wrong IP address,
I want to ensure that the administrator of the server
has the opportunity to see the DNS record causing
connections to end up on their server. That's only
possible if the hostname is sent to the server somehow.
>
> I assumed you wanted to send the final hostname to the *proxying SSH
> server*.
Sorry if I didn't express that clearly enough. I need
the hostname to be visible to both proxy and the target
server.
> In which case, you don't need such thing if using a HTTP CONNECT proxy (the
> hostname is now given to the HTTP proxy). And if you use a ssh server
> like the ssh
> tunneling I proposed, the final hostname is already provided, too.
Communicating the hostname to the proxy is probably going
to be the easy part. The tricky part is to make it visible
to the administrator of the target server.
>
> If you want instead to give the hostname used to the *final* sshd,
> that's a different
> requirement for which you provided no rationale (and I suspect you are
> not really
> interested in).
That's definitely what I am interested in. The rationale
is that the administrator of the final server is to have
access to this information.
>
>
> Much more interesting at the final end than the requested would be to
> have the
> original client IP (ie. X-Forwarded-For) but that would open a different
> can of worms
> (and required software changes) about proxies whose forwarded IPs should
> be trusted.
Actually for my specific ussage, that is a solved problem.
Communication from client to proxy is IPv4. Communication
from proxy to server is IPv6. The proxy simply embed the
client IPv4 as the last 32 bits of the client IPv6 visible
to the server.
> Something I would prefer not to enter into.
You don't have to. At least I am not going to be the one
asking you to.
--
Kasper Dupont -- Rigtige mænd skriver deres egne backupprogrammer
#define _(_)"d.%.4s%."_"2s" /* This is my email address */
char*_="@2kaspner"_()"%03"_("4s%.")"t\n";printf(_+11,_+6,_,12,_+2,_+7,_+6);
More information about the openssh-unix-dev
mailing list