From owner-freebsd-chat Wed Dec 17 14:43:10 1997 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.7/8.8.7) id OAA22265 for chat-outgoing; Wed, 17 Dec 1997 14:43:10 -0800 (PST) (envelope-from owner-freebsd-chat@FreeBSD.ORG) Received: from anlsun.ebr.anlw.anl.gov (anlsun.ebr.anlw.anl.gov [141.221.1.2]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id OAA22256 for ; Wed, 17 Dec 1997 14:43:04 -0800 (PST) (envelope-from cmott@srv.net) Received: from darkstar.home (dialin1.anlw.anl.gov [141.221.254.101]) by anlsun.ebr.anlw.anl.gov (8.6.11/8.6.11) with SMTP id PAA04902; Wed, 17 Dec 1997 15:42:50 -0700 Date: Wed, 17 Dec 1997 15:42:18 -0700 (MST) From: Charles Mott X-Sender: cmott@darkstar.home To: Nate Williams cc: Marc Slemko , chat@FreeBSD.ORG Subject: Re: Support for secure http protocols In-Reply-To: <199712172218.PAA14340@mt.sri.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-chat@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 17 Dec 1997, Nate Williams wrote: > > > > remote host has sshd. If so, it redirects all traffic to that host > > > > through port 22 using port forwarding. This builds on techniques which > > > > already exist in natd and ppp -alias. > > > > > > Unfortunately, things don't work that way. The only time 'automatic' > > > use of the old ports occur is on unix (not Wintel), and *only* when you > > > are first setting up the connection (again, only on Unix.) This is > > > intended as a replacement for rsh, which doesn't exist on Wintel boxes. > > > > I don't think you understand what I am talking about. See paragraph > > below. I know what ssh does. I also know what tcp does. > > You've changed the subject. The original subject was supporting secure > HTTP, and now we're dealing with a very specialized setup, and the point > is that SSH won't work for the generic solution, and your comments imply > that it would work. Now that we've changed the background, it *may* > work, but I'm not convinced that the commercial SSH client for Windows > is up to the task. I've spent the last couple of months dealing with > the issues, so I'd like to think I have a clue here. I haven't used F-Secure, so I don't know the Windows side of ssh. What I am suggesting will, in principle, work via FreeBSD (with divert sockets) to sshd on any platform. The notion is to dynamically bring up ssh connections as needed in a transparent manner using NAT to point to forwarded ports on the local host. The actual shell part of ssh isn't the important think here, and a dummy shell could be brought up for anonymous connections. It will secure any tcp protocol and in a way completely transparently to clients, be they http, various mail protocols, or whatever. I think the main downside is that it imposes a high load on system resources. The notion of combining NAT and ssh port forwarding also gives VPN, but only over TCP and not UDP or ICMP. > > What I don't know is whether port forwarding relationships can be > > dynamically created and destroyed during a single ssh session. Probably > > not, but desirable. > > Definitely not desirable due to security issues. And, if you > allow port forwarding then you've got a security hole you can drive a > truck through. ;( I admit that I'd have to think about what restrictions on port forwarding would be necessary. I just don't think this the killer talking point that you think it is. Charles Mott