Good morning, I was wondering what you think about SNI (server name indication) support to OpenSSH? Background: SSH is one of the rare protocols in the data center that cannot be easily load balanced, proxied or made highly available. If the ssh client would indicate to which host it wants to connect to, a proxy or load balancer could easily be implemented. While this is an obvious feature for load balancing, I have another use case that is very important: bridging the IPv4 to the IPv6 world (see also [0]). With IPv4 having run out in many places, it is often necessary to multiplex a public IPv4 address for multiple IPv6 end hosts, to help them being reachable from the IPv4 world. With all the TLS based protocols (including https, imaps) this is easily possible. SSH is an exception here and makes it hard to implement a generic way of enabling IPv6 only systems to be reachable from the IPv4 world. My suggestion would be as follows: - change the ssh client to add a header/packet at the start of the connection that says "I want to connect to X", X being whatever is passed into the commandline (IPv6 address, IPv4 address, domain name). - either not modifying the server OR - adding a variable into the server that lets one match on the client provided value I am aware that one can used different ports for multiplexing and also that SNI is not secure, as it is client provided. However the latter is not a problem, as security always needs to be ensured on the server side. I am looking forward to hearing your opinion. If this is something that would be accepted upstream, I could come up with a patch it. Best regards, Nico [0] https://ungleich.ch/de/cms/ungleich-blog/2018/09/20/how-to-break-ipv4-https/ -- Modern, affordable, Swiss Virtual Machines. Visit www.datacenterlight.ch _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
