Demi M. Obenour
2019-Oct-16 00:04 UTC
Re: “Stripped-down” SSH (no encryption or authentication, just forwarding)
On 2019-10-15 20:00, asymptosis wrote:> On Tue, Oct 15, 2019 at 07:43:00PM -0400, Demi M. Obenour wrote: >> On 2019-10-15 19:11, Job Snijders wrote: >>> The S in SSH stands for secure. You are asking the wrong group of people. >>> You?ll have to resolve your issue in some other way. >>> >> This tool would only support running on stdin/stdout. Indeed, >> an idiomatic use-case would be to use it as the command argument >> to ssh(1). The assumption I am making is that anyone that can pass >> arbitrary data to this tool over stdin can also obtain a shell (with >> the same privileges). > > It smells like an XY-problem. I gather you are after something like a reverse proxy, so why not just use something which advertises reverse proxying, like nginx or haproxy? > > If they are still too heavy I would also check whether your requirements could > be met by netcat. >As I mentioned in another email, what I am really looking for is multiplexing multiple socket connections over a single full-duplex stream. None of the tools you just mentioned can do this. HTTP/2 connection multiplexing can almost do this, but my understanding is that it is meant as an optimization only. If you do know of such a tool, I would love to know what it is! Thank you, Demi -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20191015/885d0338/attachment.asc>
Darren Tucker
2019-Oct-16 00:33 UTC
Re: “Stripped-down” SSH (no encryption or authentication, just forwarding)
The goal of OpenSSH is to replace unencrypted connections, so such a mode would be counter to the project's goals, and such features have actually been the source of security problems in the past. On Wed, 16 Oct 2019 at 11:16, Demi M. Obenour <demiobenour at gmail.com> wrote:> As I mentioned in another email, what I am really looking for is > multiplexing multiple socket connections over a single full-duplex > stream.Sounds like you want a SOCKS server like Dante or similar. -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Demi M. Obenour
2019-Oct-16 00:45 UTC
Re: “Stripped-down” SSH (no encryption or authentication, just forwarding)
On 2019-10-15 20:33, Darren Tucker wrote:> The goal of OpenSSH is to replace unencrypted connections, so such a mode > would be counter to the project's goals, and such features have actually > been the source of security problems in the past. >What if this was a separate binary that reused the underlying multiplexing and forwarding logic? In retrospect, you are correct that adding such a mode to ssh(1) and sshd(8) would be bad.> On Wed, 16 Oct 2019 at 11:16, Demi M. Obenour <demiobenour at gmail.com> wrote: > >> As I mentioned in another email, what I am really looking for is >> multiplexing multiple socket connections over a single full-duplex >> stream. > > > Sounds like you want a SOCKS server like Dante or similar. >Not really. A SOCKS server needs one TCP connection for each stream. SSH can forward many streams over the same TCP connection. To give a concrete use case: I wrote a program that uses Docker containers to run untrusted, user-provided code in various languages. For security reasons, the containers run in a separate QubesOS disposable VM. This means that my application can only connect to the Docker daemon on the remote machine by means of a single reliable stream. I used OpenSSH to multiplex many AF_UNIX socket connections over that stream. A SOCKS server would not work here, as it lacks the multiplexing ability. Sincerely, Demi -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20191015/a547d0bc/attachment.asc>
Jochen Bern
2019-Oct-16 08:16 UTC
Re: Re: “Stripped-down” SSH (no encryption or authentication, just forwarding)
On 10/16/2019 02:04 AM, Demi M. Obenour wrote:> As I mentioned in another email, what I am really looking for is > multiplexing multiple socket connections over a single full-duplex > stream.As far as I know, SSH's forwarding allows only one kind of "socket", namely, TCP connections - as opposed to, e.g., UNIX sockets. If that's what you mean, my recommendation would be to establish the "trunk" connection not with OpenSSH, but OpenVPN. OpenVPN can use TCP and (preferred) UDP for the "trunk", can AFAIK be configured not to encrypt the *data* stream at all, will automatically re-establish the "trunk" when it gets closed, and the server can "push" a route to the subnet your Docker containers live in to the client. (If that subnet or the addresses thereon tend(s) to *change* over time, finding the proper IPs to connect to from the VPN client might become a (minor) problem.) If you want to avoid even the *potential* overhead of the encryption parts of a VPN software like OpenVPN, my next suggestion would be GRE, but I haven't done *that* on a unixoid base yet and you *will* have to do quite some work to permit GRE tunnels from A to B through all the firewalls that may sit on the path ... Kind regards, -- Jochen Bern Systemingenieur Binect GmbH Robert-Koch-Stra?e 9 64331 Weiterstadt -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4278 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20191016/71f64f79/attachment.p7s>
Nico Kadel-Garcia
2019-Oct-16 12:07 UTC
Re: “Stripped-down” SSH (no encryption or authentication, just forwarding)
On Tue, Oct 15, 2019 at 8:16 PM Demi M. Obenour <demiobenour at gmail.com> wrote:> > On 2019-10-15 20:00, asymptosis wrote: > > On Tue, Oct 15, 2019 at 07:43:00PM -0400, Demi M. Obenour wrote: > >> On 2019-10-15 19:11, Job Snijders wrote: > >>> The S in SSH stands for secure. You are asking the wrong group of people. > >>> You?ll have to resolve your issue in some other way. > >>> > >> This tool would only support running on stdin/stdout. Indeed, > >> an idiomatic use-case would be to use it as the command argument > >> to ssh(1). The assumption I am making is that anyone that can pass > >> arbitrary data to this tool over stdin can also obtain a shell (with > >> the same privileges). > > > > It smells like an XY-problem. I gather you are after something like a reverse proxy, so why not just use something which advertises reverse proxying, like nginx or haproxy? > > > > If they are still too heavy I would also check whether your requirements could > > be met by netcat. > > > As I mentioned in another email, what I am really looking for is > multiplexing multiple socket connections over a single full-duplex > stream. None of the tools you just mentioned can do this. HTTP/2 > connection multiplexing can almost do this, but my understanding is > that it is meant as an optimization only. > > If you do know of such a tool, I would love to know what it is!stunnel? https://www.stunnel.org/static/stunnel.html ?
Demi M. Obenour
2019-Oct-16 15:34 UTC
Re: “Stripped-down” SSH (no encryption or authentication, just forwarding)
On 2019-10-16 04:16, Jochen Bern wrote:> On 10/16/2019 02:04 AM, Demi M. Obenour wrote: >> As I mentioned in another email, what I am really looking for is >> multiplexing multiple socket connections over a single full-duplex >> stream. > > As far as I know, SSH's forwarding allows only one kind of "socket", > namely, TCP connections - as opposed to, e.g., UNIX sockets.SSH does allow forwarding AF_UNIX sockets. The solution I came up with uses that ability.> If that's what you mean, my recommendation would be to establish the > "trunk" connection not with OpenSSH, but OpenVPN.OpenVPN still requires network access, which I would prefer to avoid here. In some of my use-cases, the VM I am connecting to has no network access at all. In other cases, I might only be able to connect via a bastion host. Sincerely, Demi -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20191016/6f82c79d/attachment.asc>
Demi M. Obenour
2019-Oct-16 16:12 UTC
Re: “Stripped-down” SSH (no encryption or authentication, just forwarding)
On 2019-10-16 08:07, Nico Kadel-Garcia wrote:> > stunnel? https://www.stunnel.org/static/stunnel.html ? >stunnel doesn?t support multiplexing. As I mentioned in another email, my connection may not be over a network at all ? it may be over a serial line, Xen vchan, or other such stream. Using a full VPN is overkill here. The HPN patches for OpenSSH are the closest to a solution I have found, although I might wind up writing my own tool. Would a dedicated protocol, such as yamux, be better for this than SSH? Sincerely, Demi -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20191016/4d498fc7/attachment-0001.asc>