Mailing List Archive

"Virtual hosts" for ssh
It'd be very cool if ssh supported something like Apache "virtual hosts". This would make it much more viable to host multiple installs of git on the same server, for example.

More details:

On the remote server, ssh already sets some environment variables:

> printenv | grep SSH
SSH_CLIENT=192.168.1.18 50945 22
SSH_TTY=/dev/pts/1
SSH_CONNECTION=192.168.1.18 50945 192.168.1.1 22

What about adding another, say
SSH_SERVER_HOST=host1

Assuming that /etc/hosts
192.168.1.1 host1 host2
then
ssh user@host1
and
ssh user@host2
would lead to a shell on the same host with the same user, but SSH_SERVER_HOST would be different, and that would allow the creation of a script that, for example, could find the correct git repository given the virtual hostname. This is currently not possible because the script only has IP addresses.

Presumably that would not be too hard to do?

Cheers,


Johannes.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: "Virtual hosts" for ssh [ In reply to ]
Johannes Ernst wrote:
> very cool if ssh supported something like Apache "virtual hosts"

That makes not much sense, but you could of course consider
jails/containers/etc.


> host multiple installs of git on the same server

You can use real user accounts and POSIX ACLs:

# git init --shared "${repodir}" && find "${repodir}" -type d -execdir \
setfacl -m u::rwx,g::rwx,o::r-x,d:u::rwx,d:g::rwx,d:m::rwx,d:o::r-x '{}' +

..or use something like gitolite in order to avoid learning about ACLs.


//Peter
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: "Virtual hosts" for ssh [ In reply to ]
On Jun 7, 2013, at 17:59, Peter Stuge <peter@stuge.se> wrote:

> Johannes Ernst wrote:
>> very cool if ssh supported something like Apache "virtual hosts"
>
> That makes not much sense,

Elaborate?

> but you could of course consider
> jails/containers/etc.

I don't see how this would work other than by assigning different IP addresses to the same server or at least using different ports. What am I missing?

Perhaps I wasn't as clear about the use case as I thought I was:

I'd like to be able to use the same user (say "git") on multiple git repositories on the same host, distinguished only by the hostname, but reaching different logical accounts with different credentials. Just like http://host1/blog and http://host2/blog can point to different installs of Wordpress on the same server (both of which have a user "admin" through the web interface that have nothing to do with each other), I'd like git commits by the same user for different virtual hostnames on the same server to have different credentials, and reach different repositories.

Think mass hosting of git installs (or gitolite, or gitorious, or ...) on the same host just like virtual HTTP hosting at your typical Wordpress host.

> host multiple installs of git on the same server
>
> You can use real user accounts and POSIX ACLs:
>
> # git init --shared "${repodir}" && find "${repodir}" -type d -execdir \
> setfacl -m u::rwx,g::rwx,o::r-x,d:u::rwx,d:g::rwx,d:m::rwx,d:o::r-x '{}' +
>
> ..or use something like gitolite in order to avoid learning about ACLs.

I think this is an issue unrelated to my problem / suggestion.

>
>
> //Peter
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: "Virtual hosts" for ssh [ In reply to ]
Hello.
You may be used 'Match' condition block, 'sshd_config(5)'. It allows
you to distinguish between a compound of: User, Group, Host,
LocalAddress, LocalPort, and Address criteria. May be with
'ChrootDirectory'.
Or, if you trust your clients, you may use 'AcceptEnv'. To passed over
ssh your environment variable.


On Sat, Jun 8, 2013 at 4:02 AM, Johannes Ernst <johannes.ernst@gmail.com> wrote:
> It'd be very cool if ssh supported something like Apache "virtual hosts". This would make it much more viable to host multiple installs of git on the same server, for example.
>
> More details:
>
> On the remote server, ssh already sets some environment variables:
>
>> printenv | grep SSH
> SSH_CLIENT=192.168.1.18 50945 22
> SSH_TTY=/dev/pts/1
> SSH_CONNECTION=192.168.1.18 50945 192.168.1.1 22
>
> What about adding another, say
> SSH_SERVER_HOST=host1
>
> Assuming that /etc/hosts
> 192.168.1.1 host1 host2
> then
> ssh user@host1
> and
> ssh user@host2
> would lead to a shell on the same host with the same user, but SSH_SERVER_HOST would be different, and that would allow the creation of a script that, for example, could find the correct git repository given the virtual hostname. This is currently not possible because the script only has IP addresses.
>
> Presumably that would not be too hard to do?
>
> Cheers,
>
>
> Johannes.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: "Virtual hosts" for ssh [ In reply to ]
On Sat, 8 Jun 2013, Pavel Volkov wrote:

> Hello.
> You may be used 'Match' condition block, 'sshd_config(5)'. It allows
> you to distinguish between a compound of: User, Group, Host,
> LocalAddress, LocalPort, and Address criteria. May be with
> 'ChrootDirectory'.

Right - and ForceCommand.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: "Virtual hosts" for ssh [ In reply to ]
Actually this isn't a bad idea. Seems like it's at the right layer, doesn't require protocol rework, and exists in a namespace OpenSSH can reasonably claim to own. Only the client needs patching to upgrade the entire server space! Looks like a useful feature to have on by default, with pretty deep historical evidence that sharing perceived DNS name is operationally valuable. Not seeing a security impact; some concern about subsystems/sftp, but no need to block on that.

I like it! I'll write a patch if nobody else will.

Sent from my iPhone

On Jun 7, 2013, at 5:02 PM, Johannes Ernst <johannes.ernst@gmail.com> wrote:

> It'd be very cool if ssh supported something like Apache "virtual hosts". This would make it much more viable to host multiple installs of git on the same server, for example.
>
> More details:
>
> On the remote server, ssh already sets some environment variables:
>
>> printenv | grep SSH
> SSH_CLIENT=192.168.1.18 50945 22
> SSH_TTY=/dev/pts/1
> SSH_CONNECTION=192.168.1.18 50945 192.168.1.1 22
>
> What about adding another, say
> SSH_SERVER_HOST=host1
>
> Assuming that /etc/hosts
> 192.168.1.1 host1 host2
> then
> ssh user@host1
> and
> ssh user@host2
> would lead to a shell on the same host with the same user, but SSH_SERVER_HOST would be different, and that would allow the creation of a script that, for example, could find the correct git repository given the virtual hostname. This is currently not possible because the script only has IP addresses.
>
> Presumably that would not be too hard to do?
>
> Cheers,
>
>
> Johannes.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: "Virtual hosts" for ssh [ In reply to ]
Dan,

On 8 Jun 2013, at 09:34, Dan Kaminsky wrote:

> Actually this isn't a bad idea. Seems like it's at the right layer, doesn't require protocol rework, and exists in a namespace OpenSSH can reasonably claim to own. Only the client needs patching to upgrade the entire server space! Looks like a useful feature to have on by default, with pretty deep historical evidence that sharing perceived DNS name is operationally valuable. Not seeing a security impact; some concern about subsystems/sftp, but no need to block on that.

+1.

However, for maximum utility I think you are going to want
to upgrade the server too, so whatever the 'virtual host'
name is can be be subject to Match style logic, appear
as %[something] etc. Ideally you would want it to
to select different authorized_keys files, etc. etc.
but that would obviously be too late in the day.

Also unless the server sanitises this (which they won't
if unpatched) server side users of the environment
variable will need to be aware that a malicious
client could set this maliciously, and catch the foolish
who start in scripts without checking, assuming
it's always a hostname or IP. IE it doesn't work
like apache where the vhost has already been
validated.

--
Alex Bligh




_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: "Virtual hosts" for ssh [ In reply to ]
Host can always be malicious (believe me, I'm working on some attacks in
this space right now). In this case, we're security equivalent to an
environment variable we can generally set anyway.

The entire authorized keys system is kind of crufty. What I like about this
request is that it's client only, it's immediately useful, and it points in
a useful direction. It's also hilariously simple.

On Saturday, June 8, 2013, Alex Bligh wrote:

> Dan,
>
> On 8 Jun 2013, at 09:34, Dan Kaminsky wrote:
>
> > Actually this isn't a bad idea. Seems like it's at the right layer,
> doesn't require protocol rework, and exists in a namespace OpenSSH can
> reasonably claim to own. Only the client needs patching to upgrade the
> entire server space! Looks like a useful feature to have on by default,
> with pretty deep historical evidence that sharing perceived DNS name is
> operationally valuable. Not seeing a security impact; some concern about
> subsystems/sftp, but no need to block on that.
>
> +1.
>
> However, for maximum utility I think you are going to want
> to upgrade the server too, so whatever the 'virtual host'
> name is can be be subject to Match style logic, appear
> as %[something] etc. Ideally you would want it to
> to select different authorized_keys files, etc. etc.
> but that would obviously be too late in the day.
>
> Also unless the server sanitises this (which they won't
> if unpatched) server side users of the environment
> variable will need to be aware that a malicious
> client could set this maliciously, and catch the foolish
> who start in scripts without checking, assuming
> it's always a hostname or IP. IE it doesn't work
> like apache where the vhost has already been
> validated.
>
> --
> Alex Bligh
>
>
>
>
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: "Virtual hosts" for ssh [ In reply to ]
On 8 Jun 2013, at 10:13, Dan Kaminsky wrote:

> Host can always be malicious (believe me, I'm working on some attacks in this space right now). In this case, we're security equivalent to an environment variable we can generally set anyway.

Sure. I just meant a note in the manpage saying something along the lines of 'this variable is not validated by the server and contains exactly what is passed by the client; hence caution should be used when processing it server side'.

> The entire authorized keys system is kind of crufty.

I couldn't possibly comment :-;

If, however, I was inventing an ssh 'virtual server', the first thing I'd want is for different authorized keys etc. per virtual server. This would mean exchanging the 'virtual host' required prior to authentication (and probably prior to key exchange). As far as I can tell from the spec, this would require bumping either protoversion or similar. Far more intrusive.

--
Alex Bligh




_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: "Virtual hosts" for ssh [ In reply to ]
On Fri, Jun 7, 2013 at 8:02 PM, Johannes Ernst <johannes.ernst@gmail.com> wrote:
> It'd be very cool if ssh supported something like Apache "virtual hosts". This would make it much more viable to host multiple installs of git on the same server, for example.

You've stepped into one of my fun areas, mixing technologies to attain
a desired result, especially SSH and source control.

As long as you can gracefully use a different IP address for each
environment, it's workable. If you do it hostname based, you can get
in deep confusion with all the different valid versions of the same
hostname, such as WWW.eXaMplE.CoM versus www.example.com versus www
(with a local domain set of example.com), and trying to match them
all. That's an old problem with "VirtualHosts" from web servers, as
well.

Alternatively, don't use the "same user" for different projects on the
same server. Use a different git shared username for each project
environment. Since your git environments are normally defined by the
home directory of the actual shared git username, this may be much
faster and easier to set up and require no root managed manipulation
of your sshd_config.

Nico Kadel-Garcia <nkadel@gmail.com>

> More details:
>
> On the remote server, ssh already sets some environment variables:
>
>> printenv | grep SSH
> SSH_CLIENT=192.168.1.18 50945 22
> SSH_TTY=/dev/pts/1
> SSH_CONNECTION=192.168.1.18 50945 192.168.1.1 22
>
> What about adding another, say
> SSH_SERVER_HOST=host1
>
> Assuming that /etc/hosts
> 192.168.1.1 host1 host2
> then
> ssh user@host1
> and
> ssh user@host2
> would lead to a shell on the same host with the same user, but SSH_SERVER_HOST would be different, and that would allow the creation of a script that, for example, could find the correct git repository given the virtual hostname. This is currently not possible because the script only has IP addresses.
>
> Presumably that would not be too hard to do?
>
> Cheers,
>
>
> Johannes.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: "Virtual hosts" for ssh [ In reply to ]
Sent from my iPhone

On Jun 8, 2013, at 7:58 AM, Nico Kadel-Garcia <nkadel@gmail.com> wrote:

> On Fri, Jun 7, 2013 at 8:02 PM, Johannes Ernst <johannes.ernst@gmail.com> wrote:
>> It'd be very cool if ssh supported something like Apache "virtual hosts". This would make it much more viable to host multiple installs of git on the same server, for example.
>
> You've stepped into one of my fun areas, mixing technologies to attain
> a desired result, especially SSH and source control.
>
> As long as you can gracefully use a different IP address for each
> environment, it's workable.

Because nothing says graceful or workable like large scale IP management.

> If you do it hostname based, you can get
> in deep confusion with all the different valid versions of the same
> hostname, such as WWW.eXaMplE.CoM versus www.example.com versus www
> (with a local domain set of example.com), and trying to match them
> all. That's an old problem with "VirtualHosts" from web servers, as
> well.

Yes, it's an old, pretty much entirely solved problem. It's also not *our* problem; with this environment trick, it's the consuming shell's thing to deal with.

Arguably we could canonicalize the DNS name.

>
> Alternatively, don't use the "same user" for different projects on the
> same server. Use a different git shared username for each project
> environment. Since your git environments are normally defined by the
> home directory of the actual shared git username, this may be much
> faster and easier to set up and require no root managed manipulation
> of your sshd_config.

That's one way to do it, but overloading username instead of host has its own pile of issues.

>
> Nico Kadel-Garcia <nkadel@gmail.com>
>
>> More details:
>>
>> On the remote server, ssh already sets some environment variables:
>>
>>> printenv | grep SSH
>> SSH_CLIENT=192.168.1.18 50945 22
>> SSH_TTY=/dev/pts/1
>> SSH_CONNECTION=192.168.1.18 50945 192.168.1.1 22
>>
>> What about adding another, say
>> SSH_SERVER_HOST=host1
>>
>> Assuming that /etc/hosts
>> 192.168.1.1 host1 host2
>> then
>> ssh user@host1
>> and
>> ssh user@host2
>> would lead to a shell on the same host with the same user, but SSH_SERVER_HOST would be different, and that would allow the creation of a script that, for example, could find the correct git repository given the virtual hostname. This is currently not possible because the script only has IP addresses.
>>
>> Presumably that would not be too hard to do?
>>
>> Cheers,
>>
>>
>> Johannes.
>>
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev@mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: "Virtual hosts" for ssh [ In reply to ]
On Jun 8, 2013, at 11:14, Dan Kaminsky <dan@doxpara.com> wrote:

>
>
> Sent from my iPhone
>
> On Jun 8, 2013, at 7:58 AM, Nico Kadel-Garcia <nkadel@gmail.com> wrote:
>
>> On Fri, Jun 7, 2013 at 8:02 PM, Johannes Ernst <johannes.ernst@gmail.com> wrote:
>>> It'd be very cool if ssh supported something like Apache "virtual hosts". This would make it much more viable to host multiple installs of git on the same server, for example.
>>
>> You've stepped into one of my fun areas, mixing technologies to attain
>> a desired result, especially SSH and source control.
>>
>> As long as you can gracefully use a different IP address for each
>> environment, it's workable.
>
> Because nothing says graceful or workable like large scale IP management.

Indeed, it does scale stably and well for small projects. For large sets of projects, such as several hundred, IPv6 becomes critical to support this approach.

Doesn't work well behind NAT or proxies without a lot if extra work.


>> If you do it hostname based, you can get
>> in deep confusion with all the different valid versions of the same
>> hostname, such as WWW.eXaMplE.CoM versus www.example.com versus www
>> (with a local domain set of example.com), and trying to match them
>> all. That's an old problem with "VirtualHosts" from web servers, as
>> well.
>
> Yes, it's an old, pretty much entirely solved problem. It's also not *our* problem; with this environment trick, it's the consuming shell's thing to deal with.

Yes, and it's very often done wrong. UTF8 hostnames, anyone?

> Arguably we could canonicalize the DNS name.

I'd advocate that.

>>
>> Alternatively, don't use the "same user" for different projects on the
>> same server. Use a different git shared username for each project
>> environment. Since your git environments are normally defined by the
>> home directory of the actual shared git username, this may be much
>> faster and easier to set up and require no root managed manipulation
>> of your sshd_config.
>
> That's one way to do it, but overloading username instead of host has its own pile of issues.

True, but it scales to thousands if projects and keeps source control configurations away from DNS or network resource management.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: "Virtual hosts" for ssh [ In reply to ]
On 08/06/13 20:27, Nico Kadel-Garcia wrote:
>> Arguably we could canonicalize the DNS name.
> I'd advocate that.
And restrict it to [a-z][a-z0-9.-]* please :)

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: "Virtual hosts" for ssh [ In reply to ]
On Sun, Jun 9, 2013 at 12:56 PM, Ángel González <keisial@gmail.com> wrote:
> On 08/06/13 20:27, Nico Kadel-Garcia wrote:
>>>
>>> Arguably we could canonicalize the DNS name.
>>
>> I'd advocate that.
>
> And restrict it to [a-z][a-z0-9.-]* please :)

I'd personally love to se DNS go back to RFC 035 and use 7-bit ASCII
characters, limited as you describe. Unfortunately, RFC 3490 blew that
out of the water with the internationalization of domain names.
Canonicalizing domain names got a *lot* harder with that RFC.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: "Virtual hosts" for ssh [ In reply to ]
On 09/06/13 19:12, Nico Kadel-Garcia wrote:
> On Sun, Jun 9, 2013 at 12:56 PM, Ángel González<keisial@gmail.com> wrote:
>> And restrict it to [a-z][a-z0-9.-]* please :)
> I'd personally love to se DNS go back to RFC 035 and use 7-bit ASCII
> characters, limited as you describe. Unfortunately, RFC 3490 blew that
> out of the water with the internationalization of domain names.
> Canonicalizing domain names got a *lot* harder with that RFC.
I was expecting the client to provide the domain in punycode form. :)

Restricting to what is used by the underlying dns seemed logical,
although my
main interest was doing in the server the cleanup so that it doesn't end
up with
control characters, .., backticks, slashes et al. so that for instance
the following
naive script would be safe:

#!/bin/sh
set -e
cd $SSH_SERVER_HOST
tar -c .

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev