On 25/05/15 09.51, Damien Miller wrote: > I'm not sure it should be part of the banner exchange, though there is > no other trivial way to do it and maintain backwards compatibility. Even if backwards compatibility wasn't a requirement, I don't see any better way it could be done. > I don't much like it because it reveals host identity information > in the clear. So does the DNS lookup performed before the TCP connection is being established. So that can hardly be considered a secret. > > A better way would be to exchange this after the connection has > been keyed, but that would require extensive changes to the key > exchange protocol. How would that work? The proxy doesn't hold the server key. The proxy doesn't even know which server holds the key. > > I don't really want to implement a half-measure in OpenSSH... All the proxy needs to know is the hostname which was previously send in clear to multiple DNS servers. And the only concern you have brought up is that you don't want this to be send in clear. I need a little bit of help to understand what your concern is here. I'll try to explain my usage scenario in a bit more detail. I have a number of servers each running IPv6 only. Since some clients will only have access to IPv4, I have deployed a proxy on a dual stack host. But the proxy only has a single IPv4 address. Clients connect to this address, and the proxy performs a DNS lookup to find the IPv6 address which this client wants to connect to. Currently this works for HTTP, HTTPS, SMTP, and DNS. -- Kasper Dupont -- Rigtige mænd skriver deres egne backupprogrammer #define _(_)"d.%.4s%."_"2s" /* This is my email address */ char*_="@2kaspner"_()"%03"_("4s%.")"t\n";printf(_+11,_+6,_,12,_+2,_+7,_+6); _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev