Name based SSH proxy
Ángel González
keisial at gmail.com
Thu May 28 06:42:06 AEST 2015
On 27/05/15 09:40, Kasper Dupont wrote:
> On 27/05/15 01.42, Ángel González wrote:
>> Why do you want the hostname being used to "be visible to the administrator
>> of the SSH server"?
> In case the AAAA record used by the proxy to find the
> server for some reason points to the wrong IP address,
> I want to ensure that the administrator of the [target] server
> has the opportunity to see the DNS record causing
> connections to end up on their server. That's only
> possible if the hostname is sent to the server somehow.
Well, John Doe connecting through your proxy to 192.168.1.1
because foo.example.org is pointing there instead of 192.168.111.111
is no different from John Doe doing exactly that with a different
connection.
If the dns record is wrong, there's little 192.168.1.1 can do
>> In which case, you don't need such thing if using a HTTP CONNECT proxy (the
>> hostname is now given to the HTTP proxy). And if you use a ssh server
>> like the ssh
>> tunneling I proposed, the final hostname is already provided, too.
> Communicating the hostname to the proxy is probably going
> to be the easy part.
Indeed, that's trivial.
> The tricky part is to make it visible to the administrator of the target server.
Yes. ssh protocol is quite guarded against alterations from the outside.
>> If you want instead to give the hostname used to the *final* sshd,
>> that's a different
>> requirement for which you provided no rationale (and I suspect you are
>> not really
>> interested in).
> That's definitely what I am interested in. The rationale
> is that the administrator of the final server is to have
> access to this information.
As above, I don't think it could do much with it, and there will be
exactly the same, but.
Would you consider acceptable for the proxy to send an udp packet to the
target server
(eg. udp 514) informing it of the requested hostname it's forwarding?
More information about the openssh-unix-dev
mailing list