Protocol Version Exchange: the comments field and an idea how to use it
Hannes Hörl
hannes.hoerl at snowreporter.com
Thu Nov 14 00:25:44 EST 2013
Hi.
Just to be clear:
This all is just my imaginary use case. Anyhow, I think you could call
the thing I'm thinking about "poor man's SNI[0] for SSH" ...
So my question(s) rephrased:
Why isn't there anything like SNI for SSH? For security reasons? Is
there no demand? Is there a better solution which I don't know of?
On 11/13/2013 01:25 PM, J's Mail wrote:
> What you describe can be configured today, with no development effort at
> all.
> [...]
> client machine
> ssh_config:
> Host private_internal_machine
> hostname 192.168.1.22
> ProxyCommand ssh proxy -W %h:%p
If I understand this right this would make a ssh connection to the
proxy, terminate it there - and make a second connection from the client
machine to the backend machine, tunneled through the first ssh
connection, right?
So anything needed (account, certs, ...) to authenticate a user on the
backend machine needs to be setup and available on the proxy too.
> This particular configuration would require the proxy/gateway machine to
> have credentials configured for the desired accounts. This may or may
> not be a stumbling block.
For my imaginary use case, the backend machines would be (virtual) hosts
for customers, friends, ... where I have no idea about e.g. user
accounts (or for that matter: I'd have no idea about anything going on
on those hosts).
The only thing I know is, if there is a host with a certain hostname in
my backend network or not. If so I'd like to pipe through the connection
to the desired host. I don't want to have any ssh connection to the
proxy machine itself.
Therefor my idea:
the magical '-H'[1] switch (or some setting in the ssh_config).
$ ssh -H user at www.mybackendhost.com
www.mybackendhost.com resolves to the IP of the proxy (there is already
HAProxy running for proxying HTTP ...). The '-H' option appends the
hostname (www.mybackendhost.com again) to the "Protocol Exchange String"[2].
My proxy daemon then just has to listen to the first line (or first 255
chars or whatever) and, based on this, can determine where the
connection has to go. It doesn't have to have any idea about ssh,
encryption, ... itself. After finding the desired host, my proxy daemon
just has to sit between the client and the backend host and forward data
coming from either side to the other - without knowing, what this data
is actually about.
Thank you for your input anyways!
Bye, Hannes
[0] https://en.wikipedia.org/wiki/Server_Name_Indication
[1] I just picked '-H' because it seams to be unused by now
[2] for example:
SSH-2.0-OpenSSH_6.4p1 www.mybackendhost.com
More information about the openssh-unix-dev
mailing list