On 2019-10-15 20:33, Darren Tucker wrote: > The goal of OpenSSH is to replace unencrypted connections, so such a mode > would be counter to the project's goals, and such features have actually > been the source of security problems in the past. > What if this was a separate binary that reused the underlying multiplexing and forwarding logic? In retrospect, you are correct that adding such a mode to ssh(1) and sshd(8) would be bad. > On Wed, 16 Oct 2019 at 11:16, Demi M. Obenour <demiobenour@xxxxxxxxx> wrote: > >> As I mentioned in another email, what I am really looking for is >> multiplexing multiple socket connections over a single full-duplex >> stream. > > > Sounds like you want a SOCKS server like Dante or similar. > Not really. A SOCKS server needs one TCP connection for each stream. SSH can forward many streams over the same TCP connection. To give a concrete use case: I wrote a program that uses Docker containers to run untrusted, user-provided code in various languages. For security reasons, the containers run in a separate QubesOS disposable VM. This means that my application can only connect to the Docker daemon on the remote machine by means of a single reliable stream. I used OpenSSH to multiplex many AF_UNIX socket connections over that stream. A SOCKS server would not work here, as it lacks the multiplexing ability. Sincerely, Demi
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
