NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

SSH / SSL, tunneling, etc (Re: builtin httpd)

On Jun 22, 2011, at 4:10 AM, Rhialto wrote:

Determining the protocol ought to be possible. HTTP servers expect an
immediate GET request. SSH servers first issue a prompt before a client
reply is due. So if the little program first waits for half a second or
so to see if a HTTP request comes in, and otherwise assumes SSH, this
should be good enough.

I swear, I have read an actual description of a program to do exactly this. What you wrote even reminds me of the wording that was used.

Aha, found it!

pkgsrc: net/sslh


sslh lets one accept both HTTPS and SSH connections on
the same port. It makes it possible to connect to an SSH
server on port 443 (e.g. from inside a corporate firewall,
which almost never block port 443) while still serving HTTPS
on that port.

The idea is to have sslh listen to the external 443 port,
accept the incoming connections, work out what type of
connection it is, and then fordward to the appropriate

The protocol detection is made based on a small difference
between SSL and SSH: an SSL client connecting to a server
speaks first, whereas an SSH client expects the SSH server
to speak first (announcing itself with a banner). sslh
waits for some time for the incoming connection to send data.
If it does before the timeout occurs, it is supposed to be
an SSL connection. Otherwise, it is supposed to be an SSH

I notice that there seems to be a newer version than the one in pkgsrc out too. (1.8 vs 1.7)

Google also turned up this:

...which describes how to tunnel SSH inside SSL with net/proxytunnel and Apache. I can't quite figure out how, but the author claims "you can still run an HTTPS site".

Zero experience with Apache on my part, but I *think* what the config snippet shown does has to do with configuring it to act as an HTTP proxy; allowing CONNECT commands (to wrap the SSH) from hosts that you specify in advance, and serve straight HTTPS to everyone else.

That, or something completely different.

[1] as far as I know there is no way to plumb two file descriptors

Run "cat" with them attached as stdin and stdout? Sort of the inverse of popen(3) ..

On Wed, 22 Jun 2011, Chuck Swiger wrote:

You could start with plug-gw from the TIS FWTK.  Of course, if the local
firewall was doing it's job, it would already be forcing HTTP and HTTPS
through an HTTP-aware proxy which would block attempts to put other
protocols like SSH through.

Hmm. You're right, with the minor modification that it'd have to be an HTTP and SSL-aware proxy, since as I understand it HTTPS completely wraps HTTP, and you'd only see the SSL handshake.

But if one were to wrap an SSH connection inside SSL instead, AFAIK there is no trivial way of spotting that, short of man-in-the-middle'ing all SSL connections. (Which can be done too, of course.)


Home | Main Index | Thread Index | Old Index