“Stripped-down” SSH (no encryption or authentication, just forwarding)

Demi M. Obenour demiobenour at gmail.com
Wed Oct 16 09:59:10 AEDT 2019

There have been many cases where I have found myself in need of a pure
forwarding tool that can forward sockets over a single stream.  In my
use cases, this stream is already secure, so there is no need for the
tool to do any encryption or authentication.  One specific use-case was
forwarding a Docker socket to another VM over QubesOS qrexec qrexec,
which uses Xen shared memory, but there are undoubtedly others,
such as forwarding over a pre-authenticated TLS or SSH connection.

OpenSSH already provides this and more, but it wraps them up in an
interface that is inconvenient for the purpose.  I wound up resorting
to `sshd -i` with key-based authentication, but the encryption and
authentication is pointless overhead here, and having to generate
host keys is annoying.  Essentially, this tool would be an “SSH
subsystem” ― it would provide all of the forwarding features of
sshd(8), but without encryption or authentication.  This is similar
to how sftp-server(8) expects an already secure and authenticated

Another alternative would be additional options, like
to ssh(1) and sshd(8).

How difficult would it be to incorporate such a tool into OpenSSH?
If this is not something the OpenSSH developers are interested in, I
could try to write one myself, but that would likely be significantly
more effort and duplicate capabilities already found in the OpenSSH
codebase.  I also won’t have time for quite a while.

Disclaimer: I have almost no knowledge of the SSH protocol, and
have not looked at the OpenSSH source code.  I am merely a (very)
happy user.

Thank you,

Demi M. Obenour

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20191015/7bcd7338/attachment.asc>

More information about the openssh-unix-dev mailing list