openssh unix dev - Oct 2019 - Re: “Stripped-down” SSH (no encryption or authentication, just forwarding)

There have been many cases where I have found myself in need of a pure
forwarding tool that can forward sockets over a single stream.  In my
use cases, this stream is already secure, so there is no need for the
tool to do any encryption or authentication.  One specific use-case was
forwarding a Docker socket to another VM over QubesOS qrexec qrexec,
which uses Xen shared memory, but there are undoubtedly others,
such as forwarding over a pre-authenticated TLS or SSH connection.

OpenSSH already provides this and more, but it wraps them up in an
interface that is inconvenient for the purpose.  I wound up resorting
to `sshd -i` with key-based authentication, but the encryption and
authentication is pointless overhead here, and having to generate
host keys is annoying.  Essentially, this tool would be an ?SSH
subsystem? ? it would provide all of the forwarding features of
sshd(8), but without encryption or authentication.  This is similar
to how sftp-server(8) expects an already secure and authenticated
connection.

Another alternative would be additional options, like
`-oIPromiseMyConnectionIsTrustedDisableAuthenticationAndEncryption=yes`,
to ssh(1) and sshd(8).

How difficult would it be to incorporate such a tool into OpenSSH?
If this is not something the OpenSSH developers are interested in, I
could try to write one myself, but that would likely be significantly
more effort and duplicate capabilities already found in the OpenSSH
codebase.  I also won?t have time for quite a while.

Disclaimer: I have almost no knowledge of the SSH protocol, and
have not looked at the OpenSSH source code.  I am merely a (very)
happy user.

Thank you,

Demi M. Obenour

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20191015/7bcd7338/attachment.asc>

The S in SSH stands for secure. You are asking the wrong group of people.
You?ll have to resolve your issue in some other way.

On 2019-10-15 19:11, Job Snijders wrote:
> The S in SSH stands for secure. You are asking the wrong group of people.
> You?ll have to resolve your issue in some other way.
> 
This tool would only support running on stdin/stdout.  Indeed,
an idiomatic use-case would be to use it as the command argument
to ssh(1).  The assumption I am making is that anyone that can pass
arbitrary data to this tool over stdin can also obtain a shell (with
the same privileges).

Sincerely,

Demi

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20191015/335944fc/attachment-0001.asc>

On Tue, Oct 15, 2019 at 4:02 PM Demi M. Obenour <demiobenour at gmail.com>
wrote:
>
> [...snip...] Essentially, this tool would be an ?SSH
> subsystem? ? it would provide all of the forwarding features of
> sshd(8), but without encryption or authentication.  This is similar
> to how sftp-server(8) expects an already secure and authenticated
> connection.
You might want to investigate HPN-SSH (https://www.psc.edu/hpn-ssh),
which among other things, is supposed to support disabling encryption
and authentication, though this support isn't enabled by default.

> On 16 Oct 2019, at 00:59 , Demi M. Obenour <demiobenour at gmail.com>
wrote:
> 
> There have been many cases where I have found myself in need of a pure
> forwarding tool that can forward sockets over a single stream.  In my
> use cases, this stream is already secure, so there is no need for the
> tool to do any encryption or authentication.  One specific use-case was
> forwarding a Docker socket to another VM over QubesOS qrexec qrexec,
> which uses Xen shared memory, but there are undoubtedly others,
> such as forwarding over a pre-authenticated TLS or SSH connection.
> 
> OpenSSH already provides this and more, but it wraps them up in an
> interface that is inconvenient for the purpose.  I wound up resorting
> to `sshd -i` with key-based authentication, but the encryption and
> authentication is pointless overhead here, and having to generate
> host keys is annoying.  Essentially, this tool would be an ?SSH
> subsystem? ? it would provide all of the forwarding features of
> sshd(8), but without encryption or authentication.  This is similar
> to how sftp-server(8) expects an already secure and authenticated
> connection.

The more I read this, and your other responses, the more I have the funny
feeling you are looking for the -L & -R options, perhaps the -J option and
should consider the -D & -w & -W  options too.

> Another alternative would be additional options, like
> `-oIPromiseMyConnectionIsTrustedDisableAuthenticationAndEncryption=yes`,
> to ssh(1) and sshd(8).
> 
> How difficult would it be to incorporate such a tool into OpenSSH?
> If this is not something the OpenSSH developers are interested in, I
> could try to write one myself, but that would likely be significantly
> more effort and duplicate capabilities already found in the OpenSSH
> codebase.  I also won?t have time for quite a while.
> 
> Disclaimer: I have almost no knowledge of the SSH protocol, and
> have not looked at the OpenSSH source code.  I am merely a (very)
> happy user.
Perhaps re-read the ssh(1) manual pages?. I found the -w & -W options as I
were preparing for a VPN talk the past month ;) (And I?ve been using SSH since
1993)

Else, you might consider VTUN for a stream forwarding option too (and not just a
tap/tun connection)


> 
> Thank you,
> 
> Demi M. Obenour
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On 2019-10-15 20:45, hvjunk wrote:
> 
> The more I read this, and your other responses, the more I have the funny
feeling you are looking for the -L & -R options, perhaps the -J option and
should consider the -D & -w & -W  options too.
> 
The -L, -N, -oStrictHostKeyChecking=no, and -oProxyCommand= options
to ssh(1), and the -i option to sshd(8), do indeed do what I need.
As I said, however, the interface is rather clumsy: I don?t need
host keys at all (since the connection is already authenticated),
and the encryption is needless overhead when the connection is over
Xen shared memory.  My ultimate solution did, in fact, use OpenSSH
as it exists today.  I just think that it can be improved
:).
> 
>> Another alternative would be additional options, like
>>
`-oIPromiseMyConnectionIsTrustedDisableAuthenticationAndEncryption=yes`,
>> to ssh(1) and sshd(8).
>>
>> How difficult would it be to incorporate such a tool into OpenSSH?
>> If this is not something the OpenSSH developers are interested in, I
>> could try to write one myself, but that would likely be significantly
>> more effort and duplicate capabilities already found in the OpenSSH
>> codebase.  I also won?t have time for quite a while.
>>
>> Disclaimer: I have almost no knowledge of the SSH protocol, and
>> have not looked at the OpenSSH source code.  I am merely a (very)
>> happy user.
> 
> Perhaps re-read the ssh(1) manual pages?. I found the -w & -W options
as I were preparing for a VPN talk the past month ;) (And I?ve been using SSH
since 1993)
> 
> Else, you might consider VTUN for a stream forwarding option too (and not
just a tap/tun connection)
> 
I just installed vtun, and it can indeed forward streams.  However,
it seems to also require one connection per stream.  If it had all
the forwarding abilities that OpenSSH has, and its client was equally
secure against malicious servers, it would be an ideal solution.

Sincerely,

Demi

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20191015/62f3db0b/attachment.asc>

On 2019-10-15 20:37, Jeremy Lin wrote:
> On Tue, Oct 15, 2019 at 4:02 PM Demi M. Obenour <demiobenour at
gmail.com> wrote:
>>
>> [...snip...] Essentially, this tool would be an ?SSH
>> subsystem? ? it would provide all of the forwarding features of
>> sshd(8), but without encryption or authentication.  This is similar
>> to how sftp-server(8) expects an already secure and authenticated
>> connection.
> 
> You might want to investigate HPN-SSH (https://www.psc.edu/hpn-ssh),
> which among other things, is supposed to support disabling encryption
> and authentication, though this support isn't enabled by default.
> 
That is amazing, thanks!  I would love to see their networking
patches upstreamed.  As far as disabling the crypto, it would be
nice if the insecure version built separate binaries.  mux-client(1)
and mux-server(1) anyone?

Would building such binaries from the same source tree be acceptable
to the OpenSSH maintainers?

Sincerely,

Demi

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20191015/0429d6d4/attachment.asc>