“Stripped-down” SSH (no encryption or authentication, just forwarding)
Demi M. Obenour
demiobenour at gmail.com
Wed Oct 16 09:59:10 AEDT 2019
There have been many cases where I have found myself in need of a pure
forwarding tool that can forward sockets over a single stream. In my
use cases, this stream is already secure, so there is no need for the
tool to do any encryption or authentication. One specific use-case was
forwarding a Docker socket to another VM over QubesOS qrexec qrexec,
which uses Xen shared memory, but there are undoubtedly others,
such as forwarding over a pre-authenticated TLS or SSH connection.
OpenSSH already provides this and more, but it wraps them up in an
interface that is inconvenient for the purpose. I wound up resorting
to `sshd -i` with key-based authentication, but the encryption and
authentication is pointless overhead here, and having to generate
host keys is annoying. Essentially, this tool would be an “SSH
subsystem” ― it would provide all of the forwarding features of
sshd(8), but without encryption or authentication. This is similar
to how sftp-server(8) expects an already secure and authenticated
Another alternative would be additional options, like
to ssh(1) and sshd(8).
How difficult would it be to incorporate such a tool into OpenSSH?
If this is not something the OpenSSH developers are interested in, I
could try to write one myself, but that would likely be significantly
more effort and duplicate capabilities already found in the OpenSSH
codebase. I also won’t have time for quite a while.
Disclaimer: I have almost no knowledge of the SSH protocol, and
have not looked at the OpenSSH source code. I am merely a (very)
Demi M. Obenour
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the openssh-unix-dev