On 27/05/15 09:40, Kasper Dupont wrote:
On 27/05/15 01.42, Ángel González wrote:
Why do you want the hostname being used to "be visible to the administrator
of the SSH server"?
In case the AAAA record used by the proxy to find the
server for some reason points to the wrong IP address,
I want to ensure that the administrator of the [target] server
has the opportunity to see the DNS record causing
connections to end up on their server. That's only
possible if the hostname is sent to the server somehow.
Well, John Doe connecting through your proxy to 192.168.1.1
because foo.example.org is pointing there instead of 192.168.111.111
is no different from John Doe doing exactly that with a different
connection.
If the dns record is wrong, there's little 192.168.1.1 can do
In which case, you don't need such thing if using a HTTP CONNECT proxy (the
hostname is now given to the HTTP proxy). And if you use a ssh server
like the ssh
tunneling I proposed, the final hostname is already provided, too.
Communicating the hostname to the proxy is probably going
to be the easy part.
Indeed, that's trivial.
The tricky part is to make it visible to the administrator of the target server.
Yes. ssh protocol is quite guarded against alterations from the outside.
If you want instead to give the hostname used to the *final* sshd,
that's a different
requirement for which you provided no rationale (and I suspect you are
not really
interested in).
That's definitely what I am interested in. The rationale
is that the administrator of the final server is to have
access to this information.
As above, I don't think it could do much with it, and there will be
exactly the same, but.
Would you consider acceptable for the proxy to send an udp packet to the
target server
(eg. udp 514) informing it of the requested hostname it's forwarding?
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev