From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.50) id 1EPIWh-0003EX-CR for garchives@archives.gentoo.org; Tue, 11 Oct 2005 11:42:35 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.5/8.13.5) with SMTP id j9BBWSts022182; Tue, 11 Oct 2005 11:32:28 GMT Received: from mail.shic.lan (adsl.195-248-105-109.dial.hot.broadband.adsl.broadbandonly.co.uk [195.248.105.109]) by robin.gentoo.org (8.13.5/8.13.5) with ESMTP id j9BBSNLZ013928 for ; Tue, 11 Oct 2005 11:28:23 GMT Received: from [127.0.0.1] (localhost [127.0.0.1]) by mail.shic.lan (Postfix) with ESMTP id AD7A265F2B for ; Tue, 11 Oct 2005 12:37:40 +0100 (BST) Message-ID: <434BA40A.30808@shic.co.uk> Date: Tue, 11 Oct 2005 12:37:46 +0100 From: "Steve [Gentoo]" User-Agent: Thunderbird 1.4 (Windows/20050908) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Shell through the web References: <1129005118.18578.12.camel@localhost> In-Reply-To: <1129005118.18578.12.camel@localhost> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: 5f725085-4230-4ee6-82be-57be1cf60c13 X-Archives-Hash: 92754aafdbdfc94a604ae19ce3b63490 W.Kenworthy wrote: > Move the sshd instance on your server to port 443 (if you are not > running an ssl aware webserver that is ...) > This is (pretty much) what I do- I mapped port 443 to 22 at my NAT/Firewall/router - that way I only have to deal with a peculiar port when using SSH from remote locations. I found that corkscrew ( http://www.agroman.net/corkscrew/ ) was useful where I was forced to use a proxy which required authentication at remote locations. A question that I've recently been mulling is how I can retain this invaluable capability to accept remote SSH connections on port 443 - but also run a standard HTTPS website without needing another public IP address. I fiddled with netcat and discovered that the two protocols (SSH and HTTPS) behave quite differently in spite of both being encrypted. As far as I could tell SSH required an initial message from the server to the client, whereas HTTPS started with the client sending the start of the request. Given that I wouldn't mind waiting a few seconds to establish a SSH connection, it occurred to me that it should be possible to intercept both SSH and HTTPS connections arriving on port 443; distinguish between them (by waiting to see if an HTTP request arrives pretty quickly after the connection is established) then forwards the data to the correct service... +-------+ +-----+---443-->[apache] O---443-->|NAT-BOX|--1443-->| ? | +-------+ +-----+---22--->[sshd] Is anyone aware of something I can use to implement the box labelled "?"? I suppose I could write a simple proxy myself... but don't really want to re-invent the wheel... I'm also vaguely hopeful that there may be a more efficient lower-level solution which wouldn't require the overhead of a process to 'pass-on' the tcp data... maybe integrated with ipchains or pf or similar? Any ideas? -- gentoo-user@gentoo.org mailing list