It seems a better software than what I've seen before, since the real IP is showed to the server (SSH or HTTP) instead of just localhost. It requires more netfilter trickery however, but I think this is mandatory…Anyway, I think the default port should be 443, since this is the only port that is allowed to forward a CONNECT command to open an SSH connection.And one more question: will it be easy to do it using IPv6? I don't have the need for the moment, but just in case you have spare time :p
Hi!I forgot something in the previous comment. In fact I've just tested the HTTPS connection, and, as you might expect, it doesn't work. But as I said, I use it on the port 443, to have the choice between SSH and HTTPS. And the test to find the right port try to look for the 'HTTP' string inside the received bytes, which obviously doesn't exist in an HTTPS stream.Do you know so much SSH client that send something before receiving the server banner?Anyway, I think I'll modify this for my own usage :)
It's me again ;)In RFC 4253 §4.2 :When the connection has been established, both sides MUST send an identification string. This identification string MUST beSSH-protoversion-softwareversion SP comments CR LFThis means that instead of testing for "HTTP" in the request, "SSH" can be used, since it's the only valid request the client can send.What do you think of this?
The RFC says that both sides mustsend a SSH version string, howeverit might happen that the client is waiting for the server string beforeit is sending its own string(as in openssh case). Thereforewe can only rely on HTTP to detectthe protocol since the client needsto send his request before the server.I do not have the SSL protocol in mind, but it should be possibleif the client sends a handshake todetect it.IP6 should be possible too, howeverI dont know yet if IP_TRANSPARENT canbe applied to AF_INET6 sockets.I dont understand the CONNECT argument.
Post a Comment