Re: “Stripped-down” SSH (no encryption or authentication, just forwarding)

Demi M. Obenour demiobenour at
Wed Oct 16 11:45:41 AEDT 2019

On 2019-10-15 20:33, Darren Tucker wrote:
> The goal of OpenSSH is to replace unencrypted connections, so such a mode
> would be counter to the project's goals, and such features have actually
> been the source of security problems in the past.
What if this was a separate binary that reused the underlying
multiplexing and forwarding logic?  In retrospect, you are correct
that adding such a mode to ssh(1) and sshd(8) would be bad.

> On Wed, 16 Oct 2019 at 11:16, Demi M. Obenour <demiobenour at> wrote:
>> As I mentioned in another email, what I am really looking for is
>> multiplexing multiple socket connections over a single full-duplex
>> stream.
> Sounds like you want a SOCKS server like Dante or similar.
Not really.  A SOCKS server needs one TCP connection for each stream.
SSH can forward many streams over the same TCP connection.

To give a concrete use case: I wrote a program that uses Docker
containers to run untrusted, user-provided code in various languages.
For security reasons, the containers run in a separate QubesOS
disposable VM.  This means that my application can only connect
to the Docker daemon on the remote machine by means of a single
reliable stream.  I used OpenSSH to multiplex many AF_UNIX socket
connections over that stream.   A SOCKS server would not work here,
as it lacks the multiplexing ability.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the openssh-unix-dev mailing list