Name based SSH proxy

Ángel González keisial at
Thu May 28 06:42:06 AEST 2015

On 27/05/15 09:40, Kasper Dupont wrote:
> On 27/05/15 01.42, Ángel González wrote:
>> Why do you want the hostname being used to "be visible to the administrator
>> of the SSH server"?
> In case the AAAA record used by the proxy to find the
> server for some reason points to the wrong IP address,
> I want to ensure that the administrator of the [target] server
> has the opportunity to see the DNS record causing
> connections to end up on their server. That's only
> possible if the hostname is sent to the server somehow.
Well, John Doe connecting through your proxy to
because is pointing there instead of
is no different from John Doe doing exactly that with a different 

If the dns record is wrong, there's little can do

>> In which case, you don't need such thing if using a HTTP CONNECT proxy (the
>> hostname is now given to the HTTP proxy). And if you use a ssh server
>> like the ssh
>> tunneling I proposed, the final hostname is already provided, too.
> Communicating the hostname to the proxy is probably going
> to be the easy part.
Indeed, that's trivial.

> The tricky part is to make it visible to the administrator of the target server.
Yes. ssh protocol is quite guarded against alterations from the outside.

>> If you want instead to give the hostname used to the *final* sshd,
>> that's a different
>> requirement for which you provided no rationale (and I suspect you are
>> not really
>> interested in).
> That's definitely what I am interested in. The rationale
> is that the administrator of the final server is to have
> access to this information.
As above, I don't think it could do much with it, and there will be 
exactly the same, but.

Would you consider acceptable for the proxy to send an udp packet to the 
target server
(eg. udp 514) informing it of the requested hostname it's forwarding?

More information about the openssh-unix-dev mailing list