Protocol Version Exchange: the comments field and an idea how to use it

J's Mail jmales at gmail.com
Thu Nov 14 03:56:52 EST 2013


Hannes,

So my question(s) rephrased:
> Why isn't there anything like SNI for SSH? For security reasons? Is there
> no demand? Is there a better solution which I don't know of?


I have no idea if such a thing has been discussed before.  Personally,
while I understand the use case, I'm not convinced of the need to modify
ssh to accommodate it.



> If I understand this right this would make a ssh connection to the proxy,
> terminate it there - and make a second connection from the client machine
> to the backend machine, tunneled through the first ssh connection, right?
> So anything needed (account, certs, ...) to authenticate a user on the
> backend machine needs to be setup and available on the proxy too.
>
>
You appear to understand my suggestion correctly; it does stipulate account
management on the proxy/gateway.

Alternative solutions for the use case you describe (with varying
requirements):

- iptable rules - certain ip ranges can be automatically forwarded to
certain hosts and ports.  Configure your proxy/gateway thus.  requirement:
known source addresses
- corkscrew - tunnels SSH traffic through an HTTP proxy.  You'd have to
reverse the direction of the proxy, and that seems wonky to me, so be sure
you lock it down as much as possible.  requirement: http proxy
- sslh - (http://www.rutschle.net/tech/sslh.shtml) this project
self-describes as an application demultiplexer.  As far as I'm aware, it
doesn't handle your use case, but I would present the use case to them,
they may be able to accommodate.  Even if the comment field were
implemented, you'd need a server application to read and interpret the
host.  This project already meets that need.  Modifying sshd, especially
with the lack of authentication, seems unnecessary.


Thank you for your input anyways!
>

You're welcome, thanks for asking the question; I like exploring the edges
of what's possible.


-- Jess


More information about the openssh-unix-dev mailing list