There have been many cases where I have found myself in need of a pure forwarding tool that can forward sockets over a single stream. In my use cases, this stream is already secure, so there is no need for the tool to do any encryption or authentication. One specific use-case was forwarding a Docker socket to another VM over QubesOS qrexec qrexec, which uses Xen shared memory, but there are undoubtedly others, such as forwarding over a pre-authenticated TLS or SSH connection. OpenSSH already provides this and more, but it wraps them up in an interface that is inconvenient for the purpose. I wound up resorting to `sshd -i` with key-based authentication, but the encryption and authentication is pointless overhead here, and having to generate host keys is annoying. Essentially, this tool would be an “SSH subsystem” ― it would provide all of the forwarding features of sshd(8), but without encryption or authentication. This is similar to how sftp-server(8) expects an already secure and authenticated connection. Another alternative would be additional options, like `-oIPromiseMyConnectionIsTrustedDisableAuthenticationAndEncryption=yes`, to ssh(1) and sshd(8). How difficult would it be to incorporate such a tool into OpenSSH? If this is not something the OpenSSH developers are interested in, I could try to write one myself, but that would likely be significantly more effort and duplicate capabilities already found in the OpenSSH codebase. I also won’t have time for quite a while. Disclaimer: I have almost no knowledge of the SSH protocol, and have not looked at the OpenSSH source code. I am merely a (very) happy user. Thank you, Demi M. Obenour
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
