Chris Rapier wrote in
<9b9c0475-7c4f-468a-b6bf-7921fb5e276c at psc.edu>:
|So I do some development based on openssh and I'm trying to think of
|some new projects that might extend the functionality, feature set, user
|workflow, performance, etc of ssh.
Despite my own two year old SIGUSR1 for ssh-agent that i rebase
all the time.
SSH over UDP (or "any other non-stream", or "auto-connection-re-
establish" protocol). I do not know how it can work for you all
if you have internet access via wlan; maybe ipsec is also an
option, i do not use it as i am afraid of the setup (on all end
points; there is that interesting thing for OpenBSD, but i never
heard anything real again -- and OpenBSD only of course), and
WireGuard does this really nicely!
Yes i am thankful for the UDP based WireGuard, it improved my SSH
experience tremendously, as eventual "reconnections" are not seen
by OpenSSH at all, it is only the timeouts that keep on ticking.
As WG also then bypasses the normal FILTER firewall once
a connection is established, i can use super strict firewalling
rules on the freely chosen ports WG listens on. This did not work
out with plain SSH even with ControlMaster as after connection
break you, well, have to re-establish a TCP connection, thus
counting against the limit.
(I mean i do have a port-knocking thing that whitelists me for 30
seconds, NOW, before it only could remove all occurrances of the
remote IP from all firewall lists. Now i simply can thereafter
use WG (wg show XX dump) to whitelist in an early "table" any
client that successfully connected (in the last X seconds). What
a relieve!)
Now the only thing that remains is that ~60 second connection
limit for OpenBSD downloads on their main server, since with
64KBit you cannot even download the openssh ball within.
Thank you.
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)