[lug] (semi-OT) ssh proxy
Sean Reifschneider
jafo at tummy.com
Sat May 28 18:26:10 MDT 2005
On Tue, May 24, 2005 at 02:18:37PM -0600, John Hernandez wrote:
>Luke, SSH does not lend itself to "transparent" proxy because the
>protocol itself attempts to validate the identity of the destination.
>Your proxy would be identified as a potential "man-in-the-middle" attacker.
Only if the man in the middle is doing SSH encryption/decryption. If it's
just passing along the encrypted data, it's no big deal. To get it to do
the right thing as far as keys go, you'll probably need to play with
HostKeyAlias values in your .ssh/config file though. Also see the
"ProxyCommand" config setting. It just needs to be a command that passes
stdin to the remote SSH daemon and data from the remote SSH daemon is
returned on stdout. For example, nc works fine if you have only one hop,
I've also used ssh to an intermediate machine where I then run an nc to the
final destination.
Sean
--
I'm one of the leading experts in the field of Data Mimeing. Unfortunately,
I'm not allowed to TELL you anything about it. -- Sean Reifschneider, 1997
Sean Reifschneider, Member of Technical Staff <jafo at tummy.com>
tummy.com, ltd. - Linux Consulting since 1995: Ask me about High Availability
More information about the LUG
mailing list