Re: “Stripped-down” SSH (no encryption or authentication, just forwarding)

hvjunk hvjunk at
Wed Oct 16 11:45:54 AEDT 2019

> On 16 Oct 2019, at 00:59 , Demi M. Obenour <demiobenour at> wrote:
> There have been many cases where I have found myself in need of a pure
> forwarding tool that can forward sockets over a single stream.  In my
> use cases, this stream is already secure, so there is no need for the
> tool to do any encryption or authentication.  One specific use-case was
> forwarding a Docker socket to another VM over QubesOS qrexec qrexec,
> which uses Xen shared memory, but there are undoubtedly others,
> such as forwarding over a pre-authenticated TLS or SSH connection.
> OpenSSH already provides this and more, but it wraps them up in an
> interface that is inconvenient for the purpose.  I wound up resorting
> to `sshd -i` with key-based authentication, but the encryption and
> authentication is pointless overhead here, and having to generate
> host keys is annoying.  Essentially, this tool would be an “SSH
> subsystem” ― it would provide all of the forwarding features of
> sshd(8), but without encryption or authentication.  This is similar
> to how sftp-server(8) expects an already secure and authenticated
> connection.

The more I read this, and your other responses, the more I have the funny feeling you are looking for the -L & -R options, perhaps the -J option and should consider the -D & -w & -W  options too.

> Another alternative would be additional options, like
> `-oIPromiseMyConnectionIsTrustedDisableAuthenticationAndEncryption=yes`,
> to ssh(1) and sshd(8).
> How difficult would it be to incorporate such a tool into OpenSSH?
> If this is not something the OpenSSH developers are interested in, I
> could try to write one myself, but that would likely be significantly
> more effort and duplicate capabilities already found in the OpenSSH
> codebase.  I also won’t have time for quite a while.
> Disclaimer: I have almost no knowledge of the SSH protocol, and
> have not looked at the OpenSSH source code.  I am merely a (very)
> happy user.

Perhaps re-read the ssh(1) manual pages…. I found the -w & -W options as I were preparing for a VPN talk the past month ;) (And I’ve been using SSH since 1993)

Else, you might consider VTUN for a stream forwarding option too (and not just a tap/tun connection)

> Thank you,
> Demi M. Obenour
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at

More information about the openssh-unix-dev mailing list