Date: Wed, 17 Dec 1997 15:42:18 -0700 (MST) From: Charles Mott <cmott@srv.net> To: Nate Williams <nate@mt.sri.com> Cc: Marc Slemko <marcs@znep.com>, chat@FreeBSD.ORG Subject: Re: Support for secure http protocols Message-ID: <Pine.BSF.3.96.971217152245.7135B-100000@darkstar.home> In-Reply-To: <199712172218.PAA14340@mt.sri.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 17 Dec 1997, Nate Williams wrote: > > > > remote host has sshd. If so, it redirects all traffic to that host > > > > through port 22 using port forwarding. This builds on techniques which > > > > already exist in natd and ppp -alias. > > > > > > Unfortunately, things don't work that way. The only time 'automatic' > > > use of the old ports occur is on unix (not Wintel), and *only* when you > > > are first setting up the connection (again, only on Unix.) This is > > > intended as a replacement for rsh, which doesn't exist on Wintel boxes. > > > > I don't think you understand what I am talking about. See paragraph > > below. I know what ssh does. I also know what tcp does. > > You've changed the subject. The original subject was supporting secure > HTTP, and now we're dealing with a very specialized setup, and the point > is that SSH won't work for the generic solution, and your comments imply > that it would work. Now that we've changed the background, it *may* > work, but I'm not convinced that the commercial SSH client for Windows > is up to the task. I've spent the last couple of months dealing with > the issues, so I'd like to think I have a clue here. I haven't used F-Secure, so I don't know the Windows side of ssh. What I am suggesting will, in principle, work via FreeBSD (with divert sockets) to sshd on any platform. The notion is to dynamically bring up ssh connections as needed in a transparent manner using NAT to point to forwarded ports on the local host. The actual shell part of ssh isn't the important think here, and a dummy shell could be brought up for anonymous connections. It will secure any tcp protocol and in a way completely transparently to clients, be they http, various mail protocols, or whatever. I think the main downside is that it imposes a high load on system resources. The notion of combining NAT and ssh port forwarding also gives VPN, but only over TCP and not UDP or ICMP. > > What I don't know is whether port forwarding relationships can be > > dynamically created and destroyed during a single ssh session. Probably > > not, but desirable. > > Definitely not desirable due to security issues. And, if you > allow port forwarding then you've got a security hole you can drive a > truck through. ;( I admit that I'd have to think about what restrictions on port forwarding would be necessary. I just don't think this the killer talking point that you think it is. Charles Mott
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.971217152245.7135B-100000>