Adding SNI support to SSH

Tue Jan 14 02:16:00 AEDT 2020

On 01/13/2020 11:10 AM, Nico Schottelius wrote:
> The problem I am trying to solve is: there are thousands of users on
> IPv4 only networks who I cannot all communicate with. And they need to
> access resources on IPv6 only systems.
> 
> The typical jump host / proxy command approach surely works, but only
> for a small percentage of the users. The big part actually reaches out
> to the support and has severe problems if they cannot just use "plain
> ssh" (i.e. need to configure ssh or don't land on the target host
> immediately).

Out of interest:
1. If an extended mechanism were to be implemented, which server pubkey
   do you expect to be seen/stored/verified by the client? The proxy's
   / v4 middlebox's, or the v6 backend's? Or would you require that all
   server-side machines use the *same* host keypairs?
2. Are there any clients *with* v6 accessing the same backends? Via
   generic v6? How is the distinction made, FQDNs given in the public
   DNS with the proxy's v4 and the backend's v6 IP and leave the
   selection to the client? Could client machines *switch* between both
   modes, short of an all-out reconfig by the sysadmins' hands?

Proxy pubkey (≠ backend pubkey) for v4 and clients can switch between v4
and v6 ==> Users get MitM alerts after every switch.

Backend pubkey (≠ proxy pubkey) for v4 ==> Any user using the
ssh-keyscan tool will probably thus stuff his known_hosts file with the
*wrong* one(s).

Etcetera.

Regards,
-- 
Jochen Bern
Systemingenieur

Binect GmbH
Robert-Koch-Straße 9
64331 Weiterstadt

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4278 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20200113/4a581064/attachment.p7s>