On Fri, Jan 30, 2015 at 8:28 AM, Michael Felt <aixtools@xxxxxxxxx> wrote: > I must be missing the point here somehow. From my simple mind I think that > two things would be needed - first a mod, e.g., mod_sshd, or better an > addition to mod_auth and mod_proxy so that a URL could be used to initiate > contact to an sshd server elsewhere. > The mod_auth part could/should be used to verity the credentials to used - > basically setting up the VPN between ssh and httpd as ssh; the httpd server > would setup it's own separate connection with the target sshd - with > mod_proxy_logic - to verify that the httpd server can and will make a > connection. Lastly, to prevent a continous man in the middle the original > ssh client would make a second connection to establish ciphers, mac and kex > via the two connections using the httpd as man-in-the-middle. > I may have explained myself poorly. The proposed apache mod would only exist as a reference implementation to verify that the client was working correctly. I'm not thinking of supporting proxying from a webserver, other than through traditional ssh netcat-style proxying. This would simply be a mechanism to transport ssh traffic over websockets instead of vanilla TCP, to allow ssh key-based authentication of a websocket connection. The proposed use case is only for when the webserver is presenting an application that wants ssh key-based authentication. Part of my motivation is that I'd like to expose git or gerrit over websockets, and since these already support ssh key-based authentication. rsync over websockets could be good too. As far as the security/political implications go, I fully agree it might not work from a PR perspective, but I don't think this creates any more issues than allowing sshd to run as a SOCKS proxy, or dynamically forward inbound or outbound TCP. For the reference implementation itself, I was thinking of using https://github.com/disconnect/apache-websocket and providing a sshd plugin. Phil _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev