Demi M. Obenour
2019-Oct-15 22:59 UTC
“Stripped-down” SSH (no encryption or authentication, just forwarding)
There have been many cases where I have found myself in need of a pure forwarding tool that can forward sockets over a single stream. In my use cases, this stream is already secure, so there is no need for the tool to do any encryption or authentication. One specific use-case was forwarding a Docker socket to another VM over QubesOS qrexec qrexec, which uses Xen shared memory, but there are undoubtedly others, such as forwarding over a pre-authenticated TLS or SSH connection. OpenSSH already provides this and more, but it wraps them up in an interface that is inconvenient for the purpose. I wound up resorting to `sshd -i` with key-based authentication, but the encryption and authentication is pointless overhead here, and having to generate host keys is annoying. Essentially, this tool would be an ?SSH subsystem? ? it would provide all of the forwarding features of sshd(8), but without encryption or authentication. This is similar to how sftp-server(8) expects an already secure and authenticated connection. Another alternative would be additional options, like `-oIPromiseMyConnectionIsTrustedDisableAuthenticationAndEncryption=yes`, to ssh(1) and sshd(8). How difficult would it be to incorporate such a tool into OpenSSH? If this is not something the OpenSSH developers are interested in, I could try to write one myself, but that would likely be significantly more effort and duplicate capabilities already found in the OpenSSH codebase. I also won?t have time for quite a while. Disclaimer: I have almost no knowledge of the SSH protocol, and have not looked at the OpenSSH source code. I am merely a (very) happy user. Thank you, Demi M. Obenour -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20191015/7bcd7338/attachment.asc>
Job Snijders
2019-Oct-15 23:11 UTC
Re: “Stripped-down” SSH (no encryption or authentication, just forwarding)
The S in SSH stands for secure. You are asking the wrong group of people. You?ll have to resolve your issue in some other way.
Demi M. Obenour
2019-Oct-15 23:43 UTC
Re: “Stripped-down” SSH (no encryption or authentication, just forwarding)
On 2019-10-15 19:11, Job Snijders wrote:> The S in SSH stands for secure. You are asking the wrong group of people. > You?ll have to resolve your issue in some other way. >This tool would only support running on stdin/stdout. Indeed, an idiomatic use-case would be to use it as the command argument to ssh(1). The assumption I am making is that anyone that can pass arbitrary data to this tool over stdin can also obtain a shell (with the same privileges). Sincerely, Demi -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20191015/335944fc/attachment-0001.asc>
Jeremy Lin
2019-Oct-16 00:37 UTC
Re: “Stripped-down” SSH (no encryption or authentication, just forwarding)
On Tue, Oct 15, 2019 at 4:02 PM Demi M. Obenour <demiobenour at gmail.com> wrote:> > [...snip...] Essentially, this tool would be an ?SSH > subsystem? ? it would provide all of the forwarding features of > sshd(8), but without encryption or authentication. This is similar > to how sftp-server(8) expects an already secure and authenticated > connection.You might want to investigate HPN-SSH (https://www.psc.edu/hpn-ssh), which among other things, is supposed to support disabling encryption and authentication, though this support isn't enabled by default.
hvjunk
2019-Oct-16 00:45 UTC
Re: “Stripped-down” SSH (no encryption or authentication, just forwarding)
> On 16 Oct 2019, at 00:59 , Demi M. Obenour <demiobenour at gmail.com> wrote: > > There have been many cases where I have found myself in need of a pure > forwarding tool that can forward sockets over a single stream. In my > use cases, this stream is already secure, so there is no need for the > tool to do any encryption or authentication. One specific use-case was > forwarding a Docker socket to another VM over QubesOS qrexec qrexec, > which uses Xen shared memory, but there are undoubtedly others, > such as forwarding over a pre-authenticated TLS or SSH connection. > > OpenSSH already provides this and more, but it wraps them up in an > interface that is inconvenient for the purpose. I wound up resorting > to `sshd -i` with key-based authentication, but the encryption and > authentication is pointless overhead here, and having to generate > host keys is annoying. Essentially, this tool would be an ?SSH > subsystem? ? it would provide all of the forwarding features of > sshd(8), but without encryption or authentication. This is similar > to how sftp-server(8) expects an already secure and authenticated > connection.The more I read this, and your other responses, the more I have the funny feeling you are looking for the -L & -R options, perhaps the -J option and should consider the -D & -w & -W options too.> Another alternative would be additional options, like > `-oIPromiseMyConnectionIsTrustedDisableAuthenticationAndEncryption=yes`, > to ssh(1) and sshd(8). > > How difficult would it be to incorporate such a tool into OpenSSH? > If this is not something the OpenSSH developers are interested in, I > could try to write one myself, but that would likely be significantly > more effort and duplicate capabilities already found in the OpenSSH > codebase. I also won?t have time for quite a while. > > Disclaimer: I have almost no knowledge of the SSH protocol, and > have not looked at the OpenSSH source code. I am merely a (very) > happy user.Perhaps re-read the ssh(1) manual pages?. I found the -w & -W options as I were preparing for a VPN talk the past month ;) (And I?ve been using SSH since 1993) Else, you might consider VTUN for a stream forwarding option too (and not just a tap/tun connection)> > Thank you, > > Demi M. Obenour > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Demi M. Obenour
2019-Oct-16 01:07 UTC
Re: “Stripped-down” SSH (no encryption or authentication, just forwarding)
On 2019-10-15 20:45, hvjunk wrote:> > The more I read this, and your other responses, the more I have the funny feeling you are looking for the -L & -R options, perhaps the -J option and should consider the -D & -w & -W options too. >The -L, -N, -oStrictHostKeyChecking=no, and -oProxyCommand= options to ssh(1), and the -i option to sshd(8), do indeed do what I need. As I said, however, the interface is rather clumsy: I don?t need host keys at all (since the connection is already authenticated), and the encryption is needless overhead when the connection is over Xen shared memory. My ultimate solution did, in fact, use OpenSSH as it exists today. I just think that it can be improved :).> >> Another alternative would be additional options, like >> `-oIPromiseMyConnectionIsTrustedDisableAuthenticationAndEncryption=yes`, >> to ssh(1) and sshd(8). >> >> How difficult would it be to incorporate such a tool into OpenSSH? >> If this is not something the OpenSSH developers are interested in, I >> could try to write one myself, but that would likely be significantly >> more effort and duplicate capabilities already found in the OpenSSH >> codebase. I also won?t have time for quite a while. >> >> Disclaimer: I have almost no knowledge of the SSH protocol, and >> have not looked at the OpenSSH source code. I am merely a (very) >> happy user. > > Perhaps re-read the ssh(1) manual pages?. I found the -w & -W options as I were preparing for a VPN talk the past month ;) (And I?ve been using SSH since 1993) > > Else, you might consider VTUN for a stream forwarding option too (and not just a tap/tun connection) >I just installed vtun, and it can indeed forward streams. However, it seems to also require one connection per stream. If it had all the forwarding abilities that OpenSSH has, and its client was equally secure against malicious servers, it would be an ideal solution. Sincerely, Demi -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20191015/62f3db0b/attachment.asc>
Demi M. Obenour
2019-Oct-16 01:12 UTC
Re: “Stripped-down” SSH (no encryption or authentication, just forwarding)
On 2019-10-15 20:37, Jeremy Lin wrote:> On Tue, Oct 15, 2019 at 4:02 PM Demi M. Obenour <demiobenour at gmail.com> wrote: >> >> [...snip...] Essentially, this tool would be an ?SSH >> subsystem? ? it would provide all of the forwarding features of >> sshd(8), but without encryption or authentication. This is similar >> to how sftp-server(8) expects an already secure and authenticated >> connection. > > You might want to investigate HPN-SSH (https://www.psc.edu/hpn-ssh), > which among other things, is supposed to support disabling encryption > and authentication, though this support isn't enabled by default. >That is amazing, thanks! I would love to see their networking patches upstreamed. As far as disabling the crypto, it would be nice if the insecure version built separate binaries. mux-client(1) and mux-server(1) anyone? Would building such binaries from the same source tree be acceptable to the OpenSSH maintainers? Sincerely, Demi -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20191015/0429d6d4/attachment.asc>
Apparently Analagous Threads
- Re: “Stripped-down” SSH (no encryption or authentication, just forwarding)
- Re: “Stripped-down” SSH (no encryption or authentication, just forwarding)
- ssh host keys on cloned virtual machines
- SFTP support for subsecond times
- [Bug 1680] New: Trying to delete offloaded flow with conntrack results in EBUSY