Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Dev
Feature to connect two hidden hosts trough sshd
openssh.dev at engidea
Dec 6, 2019, 3:01 AM
Post #1 of 2 (345 views)
Permalink
Good morning

I am inquiring if the following feature is in any way planned or if there is any interest to pool manpower to do it:

The scope of the feature: Allow two hosts in private networks to share a port (typically to run VNC over it)

How it would be used:

- Companies or individuals would buy a public host in a cloud provider, install sshd in it with a public IP eg: 194.177.12.12

when host A with private ip eg: 192.168.1.1 wants to establish a VNC connection to host B with private IP eg: 192.168.2.2 this
should happen

- Host A does: ssh [forward port 5901 and bind user damiano] 194.177.12.12
- Host B does: ssh [incoming port 5901 and bind as user damiano] 194.177.12.12

what happens is
- 194.177.12.12 has a list of permitted "bindings" and one of them is damiano
- When host A connects to 194.177.12.12 and binds to user damiano it tells to SSHD that it wants to forward the given port to the
binding
- When host B connects to 194.177.12.12 and binds to user damiano it tells to SSHD that it wants accept forward data to the given
port to the binding

As far as I see, there is no extra level of authentication on the bindings (binding name can be any string, even numeric) since the
ssh connection is authenticated.

The question again is if this is in any way a planned feature or if there is any interest in doing it from anybody.

Yes, I can get down to work on doing it

Thanks

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Feature to connect two hidden hosts trough sshd [ In reply to ]
nkadel at gmail
Dec 6, 2019, 5:17 AM
Post #2 of 2 (345 views)
Permalink
On Fri, Dec 6, 2019 at 6:04 AM Damiano Bolla <openssh.dev@engidea.com> wrote:
>
> Good morning
>
> I am inquiring if the following feature is in any way planned or if there is any interest to pool manpower to do it:
>
> The scope of the feature: Allow two hosts in private networks to share a port (typically to run VNC over it)
>
> How it would be used:
>
> - Companies or individuals would buy a public host in a cloud provider, install sshd in it with a public IP eg: 194.177.12.12
>
> when host A with private ip eg: 192.168.1.1 wants to establish a VNC connection to host B with private IP eg: 192.168.2.2 this
> should happen
>
> - Host A does: ssh [forward port 5901 and bind user damiano] 194.177.12.12
> - Host B does: ssh [incoming port 5901 and bind as user damiano] 194.177.12.12

It's workable. I've also seen internal security people get
*ridiculously* angry about leaving that kind of tunnel in place,
because you're basically punching a hole in their firewall without
their permission.

If you're going to need this kind of remote terminal access, look at
NoMachine rather than VNC. It provides much better access over the
remote sessions for a designated local or personal administrator. It's
at www.nomachine.com and has free versions available.

> what happens is
> - 194.177.12.12 has a list of permitted "bindings" and one of them is damiano
> - When host A connects to 194.177.12.12 and binds to user damiano it tells to SSHD that it wants to forward the given port to the
> binding

Which can be forced with an SSH key and "ForceCommand" setting If
that first host is a typical jumpgate, it may have port forwarding
disabled.

> - When host B connects to 194.177.12.12 and binds to user damiano it tells to SSHD that it wants accept forward data to the given
> port to the bindin

> As far as I see, there is no extra level of authentication on the bindings (binding name can be any string, even numeric) since the
> ssh connection is authenticated.

Look into using "sshn" on gist A to automate the forwarded connection
and maintain it. And be ready for your local security person to beat
you with a stick when they find you've been running SSH tunnels
without their explicit permission.

> The question again is if this is in any way a planned feature or if there is any interest in doing it from anybody.
>
> Yes, I can get down to work on doing it
>
> Thanks
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal