> On 16 Oct 2019, at 00:59 , Demi M. Obenour <demiobenour@xxxxxxxxx> wrote: > > There have been many cases where I have found myself in need of a pure > forwarding tool that can forward sockets over a single stream. In my > use cases, this stream is already secure, so there is no need for the > tool to do any encryption or authentication. One specific use-case was > forwarding a Docker socket to another VM over QubesOS qrexec qrexec, > which uses Xen shared memory, but there are undoubtedly others, > such as forwarding over a pre-authenticated TLS or SSH connection. > > OpenSSH already provides this and more, but it wraps them up in an > interface that is inconvenient for the purpose. I wound up resorting > to `sshd -i` with key-based authentication, but the encryption and > authentication is pointless overhead here, and having to generate > host keys is annoying. Essentially, this tool would be an “SSH > subsystem” ― it would provide all of the forwarding features of > sshd(8), but without encryption or authentication. This is similar > to how sftp-server(8) expects an already secure and authenticated > connection. The more I read this, and your other responses, the more I have the funny feeling you are looking for the -L & -R options, perhaps the -J option and should consider the -D & -w & -W options too. > Another alternative would be additional options, like > `-oIPromiseMyConnectionIsTrustedDisableAuthenticationAndEncryption=yes`, > to ssh(1) and sshd(8). > > How difficult would it be to incorporate such a tool into OpenSSH? > If this is not something the OpenSSH developers are interested in, I > could try to write one myself, but that would likely be significantly > more effort and duplicate capabilities already found in the OpenSSH > codebase. I also won’t have time for quite a while. > > Disclaimer: I have almost no knowledge of the SSH protocol, and > have not looked at the OpenSSH source code. I am merely a (very) > happy user. Perhaps re-read the ssh(1) manual pages…. I found the -w & -W options as I were preparing for a VPN talk the past month ;) (And I’ve been using SSH since 1993) Else, you might consider VTUN for a stream forwarding option too (and not just a tap/tun connection) > > Thank you, > > Demi M. Obenour > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
