SNI-like routing
Jochen Bern
Jochen.Bern at binect.de
Mon Sep 26 09:35:11 AEST 2022
On 21.09.22 22:59, Carl Karsten wrote:
> I would like to keep ports all standard: 22 for ssh, 80/443 for
> http/s, etc. and route to the VM based on hostname.
Unlike the Host: header in HTTP (since 1.1) and SNI extension of TLS,
the SSH protocol AFAICT does not provide a means for the client to tell
the server about the original/requested server name, much less doing so
*before* the server starts talking (and thus effectively identifies
itself). Hence, this can only be done by intransparently wrapping SSH
into another protocol layer, at which point you might make certain
(non-OpenSSH) client implementations difficult or impossible to use.
On the other hand, while sticking to the standard ports has advantages
with web servers (ability to use https://www.ssllabs.com/ssltest/ , or
an ACME client with HTTP challenge-response against Let's Encrypt, for
example), nonstandard ports for SSH are more common, if not even
recommended for Internet-facing systems (less noise in the logfiles at
least).
Thus, my recommendation would be to randomize the ports (which AFAIK all
usual SSH clients support), rather than to try to come up with some
in-band trickery and then find out how portable it is IRL. :-3
Regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20220926/0d35f586/attachment.p7s>
More information about the openssh-unix-dev
mailing list