On 23/05/15 14.42, Kasper Dupont wrote: > I am working on a proxy which can be hosted on a single > IP address and dispatch requests to different backends > depending on which hostname the client used to connect to > this IP address. > > Currently such a proxy can be build to support HTTP, HTTPS, > SMTP, and DNS. However SSH support is impossible due to > the ssh client not sending the information such a proxy > would need. > > I am not the first to want such a proxy: > http://serverfault.com/q/34552/214507 > However my searches only found people talking about it, > and nobody doing anything about it. > > I have attached a tiny patch for the openssh-client, which > I believe does everything openssh would need to do in order > to support this kind of proxies. > > What are your thoughts on the attached patch? > > Rationale behind the design of the patch: > A name based SSH proxy will need to accept connections from > clients and based on data send by the client choose a > backend server to connect to. > > The proxy will not be able to forward the version > identification from the backend to the client until after > it has connected to the backend. Thus the proxy will need > to extract the hostname from the data send by the client > before any version identification has been send in the > other direction. > > This leaves the version identification send from client > to server as the only place such a proxy could possibly > extract the hostname from. Thus the patch would have to > extend the format of the version identification to include > a hostname. > > The version identification contains a comments field > which at the moment is a free form field send by client > and ignored by server. The intended purpose of this field > is to aid in debugging, thus it just needed to be huamn > redable. > > Replacing the comments field with JSON formatted data will > allow it to serve both purposes. I picked JSON because it > is extensible and very simple. > > The change amounts to modifying two lines of code in > send_client_banner and passing the hostname as function > argument where it is now necessary. No server side changes > are needed. I have put a copy of the patch here: http://share.kasperd.net/openssh-6.6p1-sni.patch And an example of how a proxy using this feature could be implemented here: http://share.kasperd.net/ssh-sni.py -- Kasper Dupont -- Rigtige mænd skriver deres egne backupprogrammer #define _(_)"d.%.4s%."_"2s" /* This is my email address */ char*_="@2kaspner"_()"%03"_("4s%.")"t\n";printf(_+11,_+6,_,12,_+2,_+7,_+6); _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev