Re: Adding SNI support to SSH

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Mon, Jan 13, 2020 at 05:14:02PM +0100, Nico Schottelius wrote:
> p.s.: HAProxy, which we use, can even forward the original client IP to
> the end host using the "proxy protocol".
> 
> pps: The whole haproxy configuration for it looks as following. It
> supports smtps, imaps. https and http at the moment.
> 
> # ipv4 https frontend
> frontend httpsipv4
>     bind ipv4@:443
>     mode tcp
>     option tcplog
>     tcp-request inspect-delay 5s
>     tcp-request content accept if { req_ssl_hello_type 1 }
>     default_backend httpsipv4
> 
> backend httpsipv4
>     mode tcp
>     use-server webmail.ungleich.ch if { req_ssl_sni -i webmail.ungleich.ch }
>     server webmail.ungleich.ch ipv6@xxxxxxxxxxxxxxxxxxx
>     ...
> 

Neat. I do something similar: in order to circumvent obnoxious airport /
coffee shop firewalls that block non-HTTPS traffic, I configured haproxy
to offer 'SSH over HTTPS'.  haproxy terminates the HTTPS connection
(which is SNI-aware) while sshd on the target machine terminates the
tunneled SSH connection.

In ssh_config, I use ProxyCommand to invoke gnutls-client to create the
HTTPS connection.

You've indicated that you don't want to compel your users to make
significant changes to ssh_config, but others in this thread have noted
that an SNI option for OpenSSH will take some time to propagate from
ideation through development through widespread* deployment

Would this SSH-over-HTTPS option be worth considering for your use case
while the SNI-aware OpenSSH gets more backers? (I think I might be one,
now. You may wish to ask for Proxy-Protocol support, also.)

* sufficiently widespread that your users can get packages from distros

-- 
Luca Filipozzi
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux