Re: SSH over websockets

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Fri, Jan 30, 2015 at 8:28 AM, Michael Felt <aixtools@xxxxxxxxx> wrote:

> I must be missing the point here somehow. From my simple mind I think that
> two things would be needed - first a mod, e.g., mod_sshd, or better an
> addition to mod_auth and mod_proxy so that a URL could be used to initiate
> contact to an sshd server elsewhere.
> The mod_auth part could/should be used to verity the credentials to used -
> basically setting up the VPN between ssh and httpd as ssh; the httpd server
> would setup it's own separate connection with the target sshd - with
> mod_proxy_logic - to verify that the httpd server can and will make a
> connection. Lastly, to prevent a continous man in the middle the original
> ssh client would make a second connection to establish ciphers, mac and kex
> via the two connections using the httpd as man-in-the-middle.
>

I may have explained myself poorly. The proposed apache mod would only
exist as a reference implementation to verify that the client was working
correctly. I'm not thinking of supporting proxying from a webserver, other
than through traditional ssh netcat-style proxying. This would simply be a
mechanism to transport ssh traffic over websockets instead of vanilla TCP,
to allow ssh key-based authentication of a websocket connection. The
proposed use case is only for when the webserver is presenting an
application that wants ssh key-based authentication. Part of my motivation
is that I'd like to expose git or gerrit over websockets, and since these
already support ssh key-based authentication. rsync over websockets could
be good too.

As far as the security/political implications go, I fully agree it might
not work from a PR perspective, but I don't think this creates any more
issues than allowing sshd to run as a SOCKS proxy, or dynamically forward
inbound or outbound TCP.

For the reference implementation itself, I was thinking of using
https://github.com/disconnect/apache-websocket and providing a sshd plugin.

Phil
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux