Adding SNI support to SSH
Dustin Lundquist
dustin at null-ptr.net
Mon Jan 13 06:58:49 AEDT 2020
> Have you ever considered using ssh's proxy-command for this?
> I have a similar setup, works great for me.
I think the intended application is to proxy through a proxy host provided by the service provider. If SSH had a SNI like feature where a host identifier was passed in plain text during the initial connection. This way the user would just need to register their host identifier and IPv6 address (e.g. via AAAA DNS records), and the service provider wouldn’t need to maintain a list of allowed users. The proxy would have no more access to the contents of the SSH connection than any other intervening stateful firewall.
I don’t see a compelling security reason not to optionally include the hostname in the clear, any eavesdropped near the client would observe the DNS request and the SSH TCP connection.
-Dustin
More information about the openssh-unix-dev
mailing list