SNI-like routing

Jochen Bern Jochen.Bern at binect.de
Mon Sep 26 09:35:11 AEST 2022


On 21.09.22 22:59, Carl Karsten wrote:
> I would like to keep ports all standard: 22 for ssh, 80/443 for
> http/s, etc. and route to the VM based on hostname.

Unlike the Host: header in HTTP (since 1.1) and SNI extension of TLS, 
the SSH protocol AFAICT does not provide a means for the client to tell 
the server about the original/requested server name, much less doing so 
*before* the server starts talking (and thus effectively identifies 
itself). Hence, this can only be done by intransparently wrapping SSH 
into another protocol layer, at which point you might make certain 
(non-OpenSSH) client implementations difficult or impossible to use.

On the other hand, while sticking to the standard ports has advantages 
with web servers (ability to use https://www.ssllabs.com/ssltest/ , or 
an ACME client with HTTP challenge-response against Let's Encrypt, for 
example), nonstandard ports for SSH are more common, if not even 
recommended for Internet-facing systems (less noise in the logfiles at 
least).

Thus, my recommendation would be to randomize the ports (which AFAIK all 
usual SSH clients support), rather than to try to come up with some 
in-band trickery and then find out how portable it is IRL. :-3

Regards,
-- 
Jochen Bern
Systemingenieur

Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20220926/0d35f586/attachment.p7s>


More information about the openssh-unix-dev mailing list