Adding SNI support to SSH

Marcus Hann marcus at
Tue Jan 14 00:10:17 AEDT 2020

On 12/01/2020 15:39, Nico Schottelius wrote:
 > Hey Thorsten,
 > you might have misunderstood me. The purpose of my request was to enable
 > transition towards IPv6 networks. Concrete, the following scenario:
 > [ v4 Internet ]
 >         |
 > [ v4 to v6proxy ]----------------------------
 >         |                |                 |
 > [v6 only host 1] [v6 only host 2] [v6 only host 3]
 >         |                |                 |
 > [ v6 Internet ]----------------------------
 > If we had any possibility to support this scenario, a lot of services
 > that we see could be shifted to IPv6 only hosts today and not tomorrow.
 > The "migrate everyone at once" approach really doesn't work in real
 > life, you need to have either network providers or content providers do
 > a start. And at this point a lot of things can already be shifted to
 > IPv6 only machines with still being accessible from the legacy Internet.
 > Besides ssh.
 > Let me rephrase my original question, I don't actually want SNI:
 > Is there any way to create a multiplexing proxy for SSH?

FWIW a provider called Mythic Beasts[0] seem to have much the same issue 
as you. They provide IPv6-only servers and need to provide ssh access to 
them over IPv4. What they do is multiplex based on port number. For 
example, to ssh to one server I run:

ssh -p 5167 root at

and to another I run:

ssh -p 5161 root at

It's not quite as slick as automatically routing based on the domain 
used for access but does the trick well enough for them and is used in 


More information about the openssh-unix-dev mailing list