Re: “Stripped-down” SSH (no encryption or authentication, just forwarding)
Demi M. Obenour
demiobenour at gmail.com
Wed Oct 16 11:45:41 AEDT 2019
On 2019-10-15 20:33, Darren Tucker wrote:
> The goal of OpenSSH is to replace unencrypted connections, so such a mode
> would be counter to the project's goals, and such features have actually
> been the source of security problems in the past.
>
What if this was a separate binary that reused the underlying
multiplexing and forwarding logic? In retrospect, you are correct
that adding such a mode to ssh(1) and sshd(8) would be bad.
> On Wed, 16 Oct 2019 at 11:16, Demi M. Obenour <demiobenour at gmail.com> wrote:
>
>> As I mentioned in another email, what I am really looking for is
>> multiplexing multiple socket connections over a single full-duplex
>> stream.
>
>
> Sounds like you want a SOCKS server like Dante or similar.
>
Not really. A SOCKS server needs one TCP connection for each stream.
SSH can forward many streams over the same TCP connection.
To give a concrete use case: I wrote a program that uses Docker
containers to run untrusted, user-provided code in various languages.
For security reasons, the containers run in a separate QubesOS
disposable VM. This means that my application can only connect
to the Docker daemon on the remote machine by means of a single
reliable stream. I used OpenSSH to multiplex many AF_UNIX socket
connections over that stream. A SOCKS server would not work here,
as it lacks the multiplexing ability.
Sincerely,
Demi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20191015/a547d0bc/attachment.asc>
More information about the openssh-unix-dev
mailing list