Adding SNI support to SSH
Marcus Hann
marcus at hhra.uk
Tue Jan 14 00:10:17 AEDT 2020
On 12/01/2020 15:39, Nico Schottelius wrote:
>
> Hey Thorsten,
>
> you might have misunderstood me. The purpose of my request was to enable
> transition towards IPv6 networks. Concrete, the following scenario:
>
>
> [ v4 Internet ]
> |
> [ v4 to v6proxy ]----------------------------
> | | |
> [v6 only host 1] [v6 only host 2] [v6 only host 3]
> | | |
> [ v6 Internet ]----------------------------
>
> If we had any possibility to support this scenario, a lot of services
> that we see could be shifted to IPv6 only hosts today and not tomorrow.
>
> The "migrate everyone at once" approach really doesn't work in real
> life, you need to have either network providers or content providers do
> a start. And at this point a lot of things can already be shifted to
> IPv6 only machines with still being accessible from the legacy Internet.
>
> Besides ssh.
>
> Let me rephrase my original question, I don't actually want SNI:
>
> Is there any way to create a multiplexing proxy for SSH?
FWIW a provider called Mythic Beasts[0] seem to have much the same issue
as you. They provide IPv6-only servers and need to provide ssh access to
them over IPv4. What they do is multiplex based on port number. For
example, to ssh to one server I run:
ssh -p 5167 root at ssh.monit_test.hostedpi.com
and to another I run:
ssh -p 5161 root at ssh.test.hostedpi.com
It's not quite as slick as automatically routing based on the domain
used for access but does the trick well enough for them and is used in
production.
[0]: mythic-beasts.com
More information about the openssh-unix-dev
mailing list