SSH virtual hosts (RE: [rescue] an idea...)

Loomis, Rip rescue at sunhelp.org
Wed Jan 2 16:46:04 CST 2002 

What you're discussing would really require changes to the
current SSH protocol(s), and IMHO is unlikely to ever happen.
Remember that one of the reasons why name-based virtual
hosts work fine for HTTP connections but IP-based virtual
hosts are needed for SSL (HTTPS) is that the "which system
are you looking for" info needs to be presented by the
client at a *very* early stage of the connection setup
and negotiation.  This wasn't planned into HTTP but was
bolted on later (the "Host" item in the HTTP headers, IIRC)
--so it works with HTTP but not with HTTP-over-SSL.
If you tried to add virtual hosts to SSH, you would similarly
need to pass the "who am I looking for" info *before* the
SSHd could decide which host key to present as its credentials,
and therefore before the crypto session was fully initialized.
Sort of a chicken-and-egg problem.

Not saying it couldn't be done--but it would be painful
and quite likely non-interoperable.  This topic has come up before on
the (portable) OpenSSH developers' list
  http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
and the consensus
is that running multiple SSHd's on different ports seems to
work for most people.  You can also play around with just
doing port-forwarding at the NAT box that I'm going to
assume you're using with the RFC1918 space.

The best solution that I remember seeing discussion of
recently was configuring (in ssh_config) a particular
port to use with a particular hostname.  If I wanted to
SSH to host1.internal.mydomain.org and host2.internal.mydomain.org
more-or-less transparently, with both behind natbox.isp.com,
I could (supposedly) have in /etc/ssh_config on my client
system:

=-=-=-=
Host host1
  HostName natbox.isp.com
  Port 2201
Host host2
  HostName natbox.isp.com
  Port 2202
=-=-=-=

and then just do static bi-directional NAT of
  natbox.isp.com:2201 <-> host1.internal:22
  natbox.isp.com:2202 <-> host2.internal:22

Two big problems:
  - The ssh_config (or $HOME/.ssh/config) needs to be on
    each system you might use as a client (or you can
    just use the longer "ssh -p 2201 hostname" method)
  - If natbox.isp.com has a DHCP address then you'll need
    one of the dynamic DNS supporters out there to give
    you an updatable name or you'll need to change ssh_config
    each time natbox gets a new IP.  The latter change
    process could be automated, though.

Strangely enough, I'm SSH'd into my NAT box at home right
now, playing with other things, and I've been meaning to
get this working for awhile.   If I ever do, I'll send a
progress report.

Did I miss anything?

  --Rip

> -----Original Message-----
> From: George Adkins [mailto:george at webbastard.org]
> Sent: Wednesday, 02 January, 2002 16:59
[[SNIP]]
> a web server (apache for example) is capable of identifying 
> the target url of 
> the browser looking at it (a-la virtual domains), right?
> 
> how about an ssh gateway which would receive the connection 
> intended for a 
> machine on a private (RFC1918) network (via external DNS 
> CNAME records for 
> the target machine pointing at the gateway) and then tunnel 
> the connection on 
> to the target machine (RFC1918 address, obtained from either 
> a config file or 
> an internal split DNS server)
> 
> would the SSH client need to be modified to get it to pass on 
> the target 
> hostname?
> 
> any comments?  Ideas?

More information about the rescue mailing list