On 01/13/2020 11:10 AM, Nico Schottelius wrote: > The problem I am trying to solve is: there are thousands of users on > IPv4 only networks who I cannot all communicate with. And they need to > access resources on IPv6 only systems. > > The typical jump host / proxy command approach surely works, but only > for a small percentage of the users. The big part actually reaches out > to the support and has severe problems if they cannot just use "plain > ssh" (i.e. need to configure ssh or don't land on the target host > immediately). Out of interest: 1. If an extended mechanism were to be implemented, which server pubkey do you expect to be seen/stored/verified by the client? The proxy's / v4 middlebox's, or the v6 backend's? Or would you require that all server-side machines use the *same* host keypairs? 2. Are there any clients *with* v6 accessing the same backends? Via generic v6? How is the distinction made, FQDNs given in the public DNS with the proxy's v4 and the backend's v6 IP and leave the selection to the client? Could client machines *switch* between both modes, short of an all-out reconfig by the sysadmins' hands? Proxy pubkey (≠ backend pubkey) for v4 and clients can switch between v4 and v6 ==> Users get MitM alerts after every switch. Backend pubkey (≠ proxy pubkey) for v4 ==> Any user using the ssh-keyscan tool will probably thus stuff his known_hosts file with the *wrong* one(s). Etcetera. Regards, -- Jochen Bern Systemingenieur Binect GmbH Robert-Koch-Straße 9 64331 Weiterstadt
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
