SSH / SSL, tunneling, etc (Re: builtin httpd)

To: Rhialto <rhialto%falu.nl@localhost>, Chuck Swiger <cswiger%mac.com@localhost>
Subject: SSH / SSL, tunneling, etc (Re: builtin httpd)
From: Magnus Eriksson <magetoo%fastmail.fm@localhost>
Date: Thu, 23 Jun 2011 00:44:35 +0200 (CEST)

On Jun 22, 2011, at 4:10 AM, Rhialto wrote:

Determining the protocol ought to be possible. HTTP servers expect an
immediate GET request. SSH servers first issue a prompt before a client
reply is due. So if the little program first waits for half a second or
so to see if a HTTP request comes in, and otherwise assumes SSH, this
should be good enough.

I swear, I have read an actual description of a program to do exactlythis. What you wrote even reminds me of the wording that was used.



Aha, found it!

pkgsrc: net/sslh

Description:

sslh lets one accept both HTTPS and SSH connections on
the same port. It makes it possible to connect to an SSH
server on port 443 (e.g. from inside a corporate firewall,
which almost never block port 443) while still serving HTTPS
on that port.

The idea is to have sslh listen to the external 443 port,
accept the incoming connections, work out what type of
connection it is, and then fordward to the appropriate
server.

The protocol detection is made based on a small difference
between SSL and SSH: an SSL client connecting to a server
speaks first, whereas an SSH client expects the SSH server
to speak first (announcing itself with a banner). sslh
waits for some time for the incoming connection to send data.
If it does before the timeout occurs, it is supposed to be
an SSL connection. Otherwise, it is supposed to be an SSH
connection.

I notice that there seems to be a newer version than the one in pkgsrc outtoo. (1.8 vs 1.7)



Google also turned up this:

http://dag.wieers.com/howto/ssh-http-tunneling/

...which describes how to tunnel SSH inside SSL with net/proxytunnel andApache. I can't quite figure out how, but the author claims "you canstill run an HTTPS site".

Zero experience with Apache on my part, but I *think* what the configsnippet shown does has to do with configuring it to act as an HTTP proxy;allowing CONNECT commands (to wrap the SSH) from hosts that you specify inadvance, and serve straight HTTPS to everyone else.


That, or something completely different.

[1] as far as I know there is no way to plumb two file descriptors
together,

Run "cat" with them attached as stdin and stdout? Sort of the inverse ofpopen(3) ..



On Wed, 22 Jun 2011, Chuck Swiger wrote:

You could start with plug-gw from the TIS FWTK.  Of course, if the local
firewall was doing it's job, it would already be forcing HTTP and HTTPS
through an HTTP-aware proxy which would block attempts to put other
protocols like SSH through.

Hmm. You're right, with the minor modification that it'd have to be anHTTP and SSL-aware proxy, since as I understand it HTTPS completely wrapsHTTP, and you'd only see the SSL handshake.

But if one were to wrap an SSH connection inside SSL instead, AFAIK thereis no trivial way of spotting that, short of man-in-the-middle'ing all SSLconnections. (Which can be done too, of course.)



MAgnus

Follow-Ups:
- Re: SSH / SSL, tunneling, etc (Re: builtin httpd)
  - From: Rhialto
- Re: SSH / SSL, tunneling, etc (Re: builtin httpd)
  - From: Chuck Swiger

References:
- builtin httpd + pub dirs = snafu
  - From: Eric d'Halibut
- Re: builtin httpd + pub dirs = snafu
  - From: David Huang
- Re: builtin httpd + pub dirs = snafu
  - From: Eric d'Halibut
- Re: builtin httpd + pub dirs = snafu
  - From: Rhialto
- Re: builtin httpd + pub dirs = snafu
  - From: Chuck Swiger

Prev by Date: Re: builtin httpd + pub dirs = snafu
Next by Date: Re: SSH / SSL, tunneling, etc (Re: builtin httpd)
Previous by Thread: Re: builtin httpd + pub dirs = snafu
Next by Thread: Re: SSH / SSL, tunneling, etc (Re: builtin httpd)
Indexes:

Home | Main Index | Thread Index | Old Index