←back to thread

SSH3: Faster and rich secure shell using HTTP/3

(github.com)
532 points tempaccount420 | 8 comments | 27 Sep 25 14:27 UTC | HN request time: 0.007s | source | bottom
Show context
she46BiOmUerPVj ◴[27 Sep 25 15:27 UTC] No.45396551[source]
So with HTTP requests you can see the domain name in the header and forward it to the correct host. That was never a thing you could do with SSH, does this allow that to work?
replies(3): >>45396631 #>>45396916 #>>45397431 #
1. finaard ◴[27 Sep 25 16:00 UTC] No.45396916[source]
But that wasn't really a thing that was an issue with SSH.

Host *.internal.example.com

  ProxyCommand ssh -q -W %h:%p hop.internal.example.com
in the SSH client config would make everything in that domain hop over that hop server. It's one extra connection - but with everything correctly configured that should be barely noticeable. Auth is also proxied through.
replies(4): >>45397065 #>>45397084 #>>45397359 #>>45397400 #
2. doubled112 ◴[27 Sep 25 16:13 UTC] No.45397065[source]
If you don't need to do anything complicated, ProxyJump is easier to remember.

    Host *.internal.example.com
      ProxyJump hop.internal.example.com
replies(1): >>45397175 #
3. unsnap_biceps ◴[27 Sep 25 16:15 UTC] No.45397084[source]
Newer versions of ssh support ProxyJump

  ssh -J hop.internal.example.com foo.internal.example.com
4. chupasaurus ◴[27 Sep 25 16:24 UTC] No.45397175[source]
ProxyJump was implemented a decade ago to replace that specific string.
5. she46BiOmUerPVj ◴[27 Sep 25 16:43 UTC] No.45397359[source]
I'm aware of proxy jump and other client side config but I'd rather that not every single client need to do this configuration.
6. kbolino ◴[27 Sep 25 16:47 UTC] No.45397400[source]
Is there a way to configure the jump (hop) server to reroute the request based on the value of %h and/or %p? Otherwise, it's going to be quite difficult to configure something like HTTP virtual hosts.

EDIT: Looking at the relevant RFC [1] and the OpenSSH sshd_config manual [2], it looks like the answer is that the protocol supports having the jump server decide what to do with the host/port information, but the OpenSSH server software doesn't present any relevant configuration knobs.

[1]: https://www.rfc-editor.org/rfc/rfc4254.html#section-7.2

[2]: https://man7.org/linux/man-pages/man5/sshd_config.5.html

replies(1): >>45397636 #
7. t-3 ◴[27 Sep 25 17:18 UTC] No.45397636[source]
Yes, but it's not in the sshd config, it's in the ssh config. See ssh_config(5), search for Remote to find the most relevant sections.
replies(1): >>45405017 #
8. kbolino ◴[28 Sep 25 15:23 UTC] No.45405017{3}[source]
I don't follow. If it's in ssh_config, then it's client-side. Either that's the client initiating the request, in which case it's not server-controlled like HTTP virtual hosts, or else it's the "client" involved in the hop through the jump server, in which case it's going to be specific to a single username. Also the Remote* options have to do with remote port forwarding, which is in the wrong direction.

What am I missing?