Name based SSH proxy

Kasper Dupont kasperd at
Wed May 27 18:32:01 AEST 2015

On 27/05/15 02.04, Ángel González wrote:
> On 27/05/15 01:22, Kasper Dupont wrote:
> >Whether the client side changes can be done as a
> >ProxyCommand remains an open question. But it is certain
> >that a modification of the ssh client would cover all my
> >needs.
> ....with a modified server that acts as a proxy.

The proxy is not going to be based on an SSH server.
Rather the proxy is going to be a multi-protocol proxy
which I already wrote for dispatching TCP connections to
backends based on hostname.

That proxy does just enough protocol detection to pick
out the hostname. Works great for HTTP and HTTPS.

I have proof of concept code showing that with only a minor
change on the *client* side, connections can go through my
unmodified HTTP proxy and be terminated on an unmodified
ssh server.

That proof of concept code is the baseline which I am
going to compare any other solution against. In order for
me to consider an alternative to that proof of concept
code, the alternative has to offer at least one advantage
over my proof of concept code and not violate any of my

The most tricky of my requirements is likely the one about
ensuring the hostname will be visible to the administrator
of the SSH server without requiring any code changes on the
SSH server.

I welcome any suggestions to how I can address that

A solution which could be implemented as a ProxyCommand
rather than as a modification of the client itself would
be an advantage. I have an idea as to how my proof of
concept could be modified to work as a ProxyCommand. It
remains to be seen, whether it is going to work.

> >I need the proxy to communicate with an unmodified server.
> >And I need this communication to include the hostname for
> >the administrator of said server to see. Whether the
> >administrator would have to look in a logfile or a packet
> >capture in order to see the hostname is not important.
> An unmodified *final server* or *proxy server*? The final server
> would obviously work being unmodified.

The final server needs to work unmodified. Getting that
part to work is trivial if you ignore the requirement about
the hostname being communicated to the final server. But
once the hostname has to be communicated to the final
server, it is not completely trivial. It is still doable
since sending the hostname as part of a field which is
going to be ignored by the server will work.

> The proxy server could have
> modifications or not (perhaps not being a ssh server at all).

The proxy is not going to be an SSH server. The baseline
for the proxy is a server designed to be a multi-protocol
name based TCP frontend. It works with any TCP protocol
in which the client speaks first and the client send the
hostname before hearing from the server. So far the
protocols I found satisfying those requirements are HTTP
and HTTPS.

> And why do you need the server administrator (the administrator
> of the proxy?) to see the hostname?

I am talking about the administrator of the server not
the proxy. It needs to be visible to that administrator
mainly such that in case of misdirected connections the
administator can find the AAAA record directing the client
to said server.

> (the proxy logs would contain it,
> but placing the burden on getting the administrator see the hostname,
> instead of the proxy obtaining it, is strange)

The proxy logs will certainly contain the hostname, but
the administrator of the server could be anybody and
wouldn't have access to the proxy logs.

Sure they can ask for the hostname to be looked up in the
proxy logs. But that would be a needless extra step, if
the server administrator can simply look at the traffic
being sent to the server in order to know the hostname.

> >I believe that once I have an answer to how the proxy can
> >communicate the hostname to the server, then everything
> >else will follow.
> Are you trying to solve a XY Problem ?

No. I have a specific set of requirements, and I
am looking for a solution to address that set of

From the list of requirements I am focusing on that
one requirement because none of the proposed solutions
have addressed it. And my expectation is, that once
that requirement has been addressed it is going to be
obvious how the rest of the problems can be addressed.

> >I don't yet know a way to acheive my desired result using
> >just a ProxyCommand. But with the following change and a
> >ProxyCommand, I believe I would be able to achieve what I
> >am looking for.
> You only need a command that is able to connect to hostname
> "foo" over proxy "bar", and a proxy server of type "bar" installed
> in the ipv4 bridging machine.

That does not address the requirement that the hostname
is communicated to the server.

Sure if that requirement is ignored, there will be plenty
of possible approaches. But I am not going to ignore that

Suggestions to how it can be solved if that requirement
is ignored are not helping me because I have considered
them before and rejected them because they did not
satisfy my requirements.

It would be much more helpful to me if I got a suggested
solution to that single requirement which ignored
everything else.

Kasper Dupont -- Rigtige mænd skriver deres egne backupprogrammer
#define _(_)"d.%.4s%."_"2s" /* This is my email address */

More information about the openssh-unix-dev mailing list