On Fri, Dec 6, 2019 at 6:04 AM Damiano Bolla <openssh.dev@xxxxxxxxxxx> wrote: > > Good morning > > I am inquiring if the following feature is in any way planned or if there is any interest to pool manpower to do it: > > The scope of the feature: Allow two hosts in private networks to share a port (typically to run VNC over it) > > How it would be used: > > - Companies or individuals would buy a public host in a cloud provider, install sshd in it with a public IP eg: 194.177.12.12 > > when host A with private ip eg: 192.168.1.1 wants to establish a VNC connection to host B with private IP eg: 192.168.2.2 this > should happen > > - Host A does: ssh [forward port 5901 and bind user damiano] 194.177.12.12 > - Host B does: ssh [incoming port 5901 and bind as user damiano] 194.177.12.12 It's workable. I've also seen internal security people get *ridiculously* angry about leaving that kind of tunnel in place, because you're basically punching a hole in their firewall without their permission. If you're going to need this kind of remote terminal access, look at NoMachine rather than VNC. It provides much better access over the remote sessions for a designated local or personal administrator. It's at www.nomachine.com and has free versions available. > what happens is > - 194.177.12.12 has a list of permitted "bindings" and one of them is damiano > - When host A connects to 194.177.12.12 and binds to user damiano it tells to SSHD that it wants to forward the given port to the > binding Which can be forced with an SSH key and "ForceCommand" setting If that first host is a typical jumpgate, it may have port forwarding disabled. > - When host B connects to 194.177.12.12 and binds to user damiano it tells to SSHD that it wants accept forward data to the given > port to the bindin > As far as I see, there is no extra level of authentication on the bindings (binding name can be any string, even numeric) since the > ssh connection is authenticated. Look into using "sshn" on gist A to automate the forwarded connection and maintain it. And be ready for your local security person to beat you with a stick when they find you've been running SSH tunnels without their explicit permission. > The question again is if this is in any way a planned feature or if there is any interest in doing it from anybody. > > Yes, I can get down to work on doing it > > Thanks > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev