It would be nice if OpenSSH would have features to circumvent network filters, like SSL tunneling

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



I am in the network that is behind the Zscaler firewall.

Virtually all ports except 80 and 443 are closed. ssh through any of ports 80 and 443 is disallowed based on protocol content analysis.


It would be nice if OpenSSH would have some features that would allow the user to break out of such network.


I suggest that OpenSSH adds the SSL tunneling feature:

1. The server would have the AllowHttpsTunnels {secret token} setting

2. The client would have the -h {secret token} argument that would tell it to try the SSL connection when the SSH connection fails, and the -H {secret token} argument that would instruct the client to only use the SSL tunnel.

3. In case when SSL tunneling is used the client would establish the SSL connection, and then it would authenticate the secret token.


The secret token is needed to ensure that deep filters like Zscaler wouldn't be able to ban such SSL tunnel based on content probing.


SSL might need to have the HTTP protocol embedded into it (making it an HTTPS tunnel) in case the network filter would probe for it and ban connections based on its absence.


It is probably possible to do something similar using stunnel but (1) it is a lot more difficult to set up and (2) it would be blockable based on content probing because no secret token would be involved.


Without such feature more and more users would be unable to use ssh in more and more situations.



Yuri


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux