On 21.09.22 22:59, Carl Karsten wrote:
I would like to keep ports all standard: 22 for ssh, 80/443 for http/s, etc. and route to the VM based on hostname.
Unlike the Host: header in HTTP (since 1.1) and SNI extension of TLS, the SSH protocol AFAICT does not provide a means for the client to tell the server about the original/requested server name, much less doing so *before* the server starts talking (and thus effectively identifies itself). Hence, this can only be done by intransparently wrapping SSH into another protocol layer, at which point you might make certain (non-OpenSSH) client implementations difficult or impossible to use.
On the other hand, while sticking to the standard ports has advantages with web servers (ability to use https://www.ssllabs.com/ssltest/ , or an ACME client with HTTP challenge-response against Let's Encrypt, for example), nonstandard ports for SSH are more common, if not even recommended for Internet-facing systems (less noise in the logfiles at least).
Thus, my recommendation would be to randomize the ports (which AFAIK all usual SSH clients support), rather than to try to come up with some in-band trickery and then find out how portable it is IRL. :-3
Regards, -- Jochen Bern Systemingenieur Binect GmbH
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev