Adding SNI support to SSH

Christian Weisgerber naddy at
Mon Jan 13 07:56:50 AEDT 2020

On 2020-01-12, Dustin Lundquist <dustin at> wrote:

> I think the intended application is to proxy through a proxy host provided by the service provider. If SSH had a SNI like feature where a host identifier was passed in plain text during the initial connection. This way the user would just need to register their host identifier and IPv6 address (e.g. via AAAA DNS records), and the service provider wouldn’t need to maintain a list of allowed users. The proxy would have no more access to the contents of the SSH connection than any other intervening stateful firewall.

You can do this with a jump host, see ProxyJump in ssh_config(5).

Christian "naddy" Weisgerber                          naddy at

More information about the openssh-unix-dev mailing list