Adding SNI support to SSH
Nico Schottelius
nico.schottelius at ungleich.ch
Tue Jan 14 08:27:26 AEDT 2020
Ciao Luca,
Luca Filipozzi <lfilipoz at emyr.net> writes:
>> [ ... ]
> Neat. I do something similar: in order to circumvent obnoxious airport /
> coffee shop firewalls that block non-HTTPS traffic, I configured haproxy
> to offer 'SSH over HTTPS'. haproxy terminates the HTTPS connection
> (which is SNI-aware) while sshd on the target machine terminates the
> tunneled SSH connection.
>
> In ssh_config, I use ProxyCommand to invoke gnutls-client to create the
> HTTPS connection.
Quite nice as well!
> You've indicated that you don't want to compel your users to make
> significant changes to ssh_config, but others in this thread have noted
> that an SNI option for OpenSSH will take some time to propagate from
> ideation through development through widespread* deployment
I perfectly understand that. At the moment we give out a wireguard
IPv6 VPN for free to all users, which also has the nice side effect of
giving anyone anywhere (even behind cgnat) IPv6 connectivity.
Surprisingly adding a totally new program with totally different
characteristics so far turned out to be easier than having users edit
their ssh config.
> Would this SSH-over-HTTPS option be worth considering for your use case
> while the SNI-aware OpenSSH gets more backers? (I think I might be one,
> now. You may wish to ask for Proxy-Protocol support, also.)
>
> * sufficiently widespread that your users can get packages from distros
I might have mixed up two cases in my previous mails a bit, which share
a lot properties:
a) enabling IPv4 to IPv6 users
b) enabling load balancing for multi clusters
The (b) case has 1 name per cluster, each serving multiple nodes behind
the name. (b) is currently solved using round robin DNS with a 60s
timeout. And yes, indeed all those nodes have the same host keys and
it needs 1 public IPv4 address per cluster.
Both cases would significantly profit from an ability of dispatching by
name or intent, not only for us, but also other organisations we work
with.
So I am fine with taking some time to find a good solution that can be
agreed on and waiting for all the ripple effects, because I literally
see the potential of making life easier for thousands of people.
Best regards,
Nico
--
Modern, affordable, Swiss Virtual Machines. Visit www.datacenterlight.ch
More information about the openssh-unix-dev
mailing list