Adding SNI support to SSH
Luca Filipozzi
lfilipoz at emyr.net
Tue Jan 14 05:23:05 AEDT 2020
On Mon, Jan 13, 2020 at 05:14:02PM +0100, Nico Schottelius wrote:
> p.s.: HAProxy, which we use, can even forward the original client IP to
> the end host using the "proxy protocol".
>
> pps: The whole haproxy configuration for it looks as following. It
> supports smtps, imaps. https and http at the moment.
>
> # ipv4 https frontend
> frontend httpsipv4
> bind ipv4@:443
> mode tcp
> option tcplog
> tcp-request inspect-delay 5s
> tcp-request content accept if { req_ssl_hello_type 1 }
> default_backend httpsipv4
>
> backend httpsipv4
> mode tcp
> use-server webmail.ungleich.ch if { req_ssl_sni -i webmail.ungleich.ch }
> server webmail.ungleich.ch ipv6 at webmail.ungleich.ch
> ...
>
Neat. I do something similar: in order to circumvent obnoxious airport /
coffee shop firewalls that block non-HTTPS traffic, I configured haproxy
to offer 'SSH over HTTPS'. haproxy terminates the HTTPS connection
(which is SNI-aware) while sshd on the target machine terminates the
tunneled SSH connection.
In ssh_config, I use ProxyCommand to invoke gnutls-client to create the
HTTPS connection.
You've indicated that you don't want to compel your users to make
significant changes to ssh_config, but others in this thread have noted
that an SNI option for OpenSSH will take some time to propagate from
ideation through development through widespread* deployment
Would this SSH-over-HTTPS option be worth considering for your use case
while the SNI-aware OpenSSH gets more backers? (I think I might be one,
now. You may wish to ask for Proxy-Protocol support, also.)
* sufficiently widespread that your users can get packages from distros
--
Luca Filipozzi
More information about the openssh-unix-dev
mailing list