Adding SNI support to SSH

Nico Schottelius nico.schottelius at ungleich.ch
Mon Jan 13 02:39:02 AEDT 2020


Hey Thorsten,

Thorsten Glaser <t.glaser at tarent.de> writes:

> On Sun, 12 Jan 2020, Nico Schottelius wrote:
>
>> I was wondering what you think about SNI (server name indication)
>> support to OpenSSH?
>
> Oh, please absolutely not. SNI is a privacy violation in HTTP, and
> otherwise just a poor excuse to continue running NAT and/or IPv4.

you might have misunderstood me. The purpose of my request was to enable
transition towards IPv6 networks. Concrete, the following scenario:


[ v4 Internet ]
       |
[ v4 to v6proxy ]----------------------------
       |                |                 |
[v6 only host 1] [v6 only host 2] [v6 only host 3]
       |                |                 |
[ v6 Internet ]----------------------------

If we had any possibility to support this scenario, a lot of services
that we see could be shifted to IPv6 only hosts today and not tomorrow.

The "migrate everyone at once" approach really doesn't work in real
life, you need to have either network providers or content providers do
a start. And at this point a lot of things can already be shifted to
IPv6 only machines with still being accessible from the legacy Internet.

Besides ssh.

Let me rephrase my original question, I don't actually want SNI:

Is there any way to create a multiplexing proxy for SSH?

Best regards,

Nico



--
Modern, affordable, Swiss Virtual Machines. Visit www.datacenterlight.ch


More information about the openssh-unix-dev mailing list