Re: Re: “Stripped-down” SSH (no encryption or authentication, just forwarding)

Jochen Bern Jochen.Bern at binect.de
Wed Oct 16 19:16:58 AEDT 2019


On 10/16/2019 02:04 AM, Demi M. Obenour wrote:
> As I mentioned in another email, what I am really looking for is
> multiplexing multiple socket connections over a single full-duplex
> stream.

As far as I know, SSH's forwarding allows only one kind of "socket",
namely, TCP connections - as opposed to, e.g., UNIX sockets.

If that's what you mean, my recommendation would be to establish the
"trunk" connection not with OpenSSH, but OpenVPN.

OpenVPN can use TCP and (preferred) UDP for the "trunk", can AFAIK be
configured not to encrypt the *data* stream at all, will automatically
re-establish the "trunk" when it gets closed, and the server can "push"
a route to the subnet your Docker containers live in to the client. (If
that subnet or the addresses thereon tend(s) to *change* over time,
finding the proper IPs to connect to from the VPN client might become a
(minor) problem.)

If you want to avoid even the *potential* overhead of the encryption
parts of a VPN software like OpenVPN, my next suggestion would be GRE,
but I haven't done *that* on a unixoid base yet and you *will* have to
do quite some work to permit GRE tunnels from A to B through all the
firewalls that may sit on the path ...

Kind regards,
-- 
Jochen Bern
Systemingenieur

Binect GmbH
Robert-Koch-Straße 9
64331 Weiterstadt

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4278 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20191016/71f64f79/attachment.p7s>


More information about the openssh-unix-dev mailing list