openssh unix dev - Oct 2019 - Re: “Stripped-down” SSH (no encryption or authentication, just forwarding)

On 2019-10-15 19:11, Job Snijders wrote:
> The S in SSH stands for secure. You are asking the wrong group of people.
> You?ll have to resolve your issue in some other way.
> 
This tool would only support running on stdin/stdout.  Indeed,
an idiomatic use-case would be to use it as the command argument
to ssh(1).  The assumption I am making is that anyone that can pass
arbitrary data to this tool over stdin can also obtain a shell (with
the same privileges).

Sincerely,

Demi

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20191015/335944fc/attachment-0001.asc>

On Tue, Oct 15, 2019 at 07:43:00PM -0400, Demi M. Obenour
wrote:
> On 2019-10-15 19:11, Job Snijders wrote:
> > The S in SSH stands for secure. You are asking the wrong group of
people.
> > You?ll have to resolve your issue in some other way.
> > 
> This tool would only support running on stdin/stdout.  Indeed,
> an idiomatic use-case would be to use it as the command argument
> to ssh(1).  The assumption I am making is that anyone that can pass
> arbitrary data to this tool over stdin can also obtain a shell (with
> the same privileges).
It smells like an XY-problem. I gather you are after something like a reverse
proxy, so why not just use something which advertises reverse proxying, like
nginx or haproxy?

If they are still too heavy I would also check whether your requirements could
be met by netcat.

On 2019-10-15 20:00, asymptosis wrote:
> On Tue, Oct 15, 2019 at 07:43:00PM -0400, Demi M. Obenour wrote:
>> On 2019-10-15 19:11, Job Snijders wrote:
>>> The S in SSH stands for secure. You are asking the wrong group of
people.
>>> You?ll have to resolve your issue in some other way.
>>>
>> This tool would only support running on stdin/stdout.  Indeed,
>> an idiomatic use-case would be to use it as the command argument
>> to ssh(1).  The assumption I am making is that anyone that can pass
>> arbitrary data to this tool over stdin can also obtain a shell (with
>> the same privileges).
> 
> It smells like an XY-problem. I gather you are after something like a
reverse proxy, so why not just use something which advertises reverse proxying,
like nginx or haproxy?
> 
> If they are still too heavy I would also check whether your requirements
could
> be met by netcat.
> 
As I mentioned in another email, what I am really looking for is
multiplexing multiple socket connections over a single full-duplex
stream.  None of the tools you just mentioned can do this.  HTTP/2
connection multiplexing can almost do this, but my understanding is
that it is meant as an optimization only.

If you do know of such a tool, I would love to know what it is!

Thank you,

Demi


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20191015/885d0338/attachment.asc>