Hey Thorsten, Thorsten Glaser <t.glaser at tarent.de> writes:> On Sun, 12 Jan 2020, Nico Schottelius wrote: > >> I was wondering what you think about SNI (server name indication) >> support to OpenSSH? > > Oh, please absolutely not. SNI is a privacy violation in HTTP, and > otherwise just a poor excuse to continue running NAT and/or IPv4.you might have misunderstood me. The purpose of my request was to enable transition towards IPv6 networks. Concrete, the following scenario: [ v4 Internet ] | [ v4 to v6proxy ]---------------------------- | | | [v6 only host 1] [v6 only host 2] [v6 only host 3] | | | [ v6 Internet ]---------------------------- If we had any possibility to support this scenario, a lot of services that we see could be shifted to IPv6 only hosts today and not tomorrow. The "migrate everyone at once" approach really doesn't work in real life, you need to have either network providers or content providers do a start. And at this point a lot of things can already be shifted to IPv6 only machines with still being accessible from the legacy Internet. Besides ssh. Let me rephrase my original question, I don't actually want SNI: Is there any way to create a multiplexing proxy for SSH? Best regards, Nico -- Modern, affordable, Swiss Virtual Machines. Visit www.datacenterlight.ch
Have you ever considered using ssh's proxy-command for this? I have a similar setup, works great for me. -- Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20200112/454816e1/attachment.asc>
> Have you ever considered using ssh's proxy-command for this? > I have a similar setup, works great for me.I think the intended application is to proxy through a proxy host provided by the service provider. If SSH had a SNI like feature where a host identifier was passed in plain text during the initial connection. This way the user would just need to register their host identifier and IPv6 address (e.g. via AAAA DNS records), and the service provider wouldn?t need to maintain a list of allowed users. The proxy would have no more access to the contents of the SSH connection than any other intervening stateful firewall. I don?t see a compelling security reason not to optionally include the hostname in the clear, any eavesdropped near the client would observe the DNS request and the SSH TCP connection. -Dustin
On 12/01/2020 15:39, Nico Schottelius wrote: > > Hey Thorsten, > > you might have misunderstood me. The purpose of my request was to enable > transition towards IPv6 networks. Concrete, the following scenario: > > > [ v4 Internet ] > | > [ v4 to v6proxy ]---------------------------- > | | | > [v6 only host 1] [v6 only host 2] [v6 only host 3] > | | | > [ v6 Internet ]---------------------------- > > If we had any possibility to support this scenario, a lot of services > that we see could be shifted to IPv6 only hosts today and not tomorrow. > > The "migrate everyone at once" approach really doesn't work in real > life, you need to have either network providers or content providers do > a start. And at this point a lot of things can already be shifted to > IPv6 only machines with still being accessible from the legacy Internet. > > Besides ssh. > > Let me rephrase my original question, I don't actually want SNI: > > Is there any way to create a multiplexing proxy for SSH? FWIW a provider called Mythic Beasts[0] seem to have much the same issue as you. They provide IPv6-only servers and need to provide ssh access to them over IPv4. What they do is multiplex based on port number. For example, to ssh to one server I run: ssh -p 5167 root at ssh.monit_test.hostedpi.com and to another I run: ssh -p 5161 root at ssh.test.hostedpi.com It's not quite as slick as automatically routing based on the domain used for access but does the trick well enough for them and is used in production. [0]: mythic-beasts.com