Re: Alternatives for port forwarding

phil-news-nospam@xxxxxxxx writes:

I've been thinking about some ideas I'd like to do with port forwarding
like what SSH can do. But what I wanted to do is more complex and seems
to exceed what SSH can accomplish. Maybe someone has an idea how to do
this with SSH anyway?

The objective is to make a server node that users can log into through
a normal SSH client, with multiple logins from two or more different
computer hosts, and have port forwarding rerouted from one machine to
any other in the "cluster" of those logged in. I know this can be done
by a combination of remote and local forwarding through listens active
on the common server. However, this can be an administrative mess if
a number of users are involved. For one thing it ties up a resource
that needs to be carefully allocated but cannot be enforced: ports
If one user is having host A log in with a remote forward listening on
port 10000, with the intent of logging in from host B with a local forward
to reach that port 10000 to make a connection through to host A, it is
possible some other user could beat them to using port 10000. Host A
could in theory pick some other port, but how would host B know what it
is?

The dream solution is some kind of service that can be used to handle the
network traffic on forwarded ports without actually having any listening
being done on the server, or any connections to a port on the server.
And the ideal would be to keep it all isolated within a group of users
so that users of another group cannot connect over. I'm not sure how
the connections would be appropriately identified (e.g. how would host
B indicate it wants to forward through to host A even though all these
SSH connections are really to the central server). One thing that is
essential is that these destination identities need to be separate from
any other user group, including the other group being able to use the
same exact identity without any inter-group collision or breach.

I suspect this may require some big additions to the sshd code to handle
it. Or maybe it's better to just not use SSH and to develop another SSL
based protocol. Any ideas?

I think yer onto something at the end. This doesn't sound like a job
for SSH.

Can you define your connection needs in terms of a user's identity?
Are you familiar with VPN capabilities? I suspect that an
appopriately selected VPN solution would be a much better fit for your
goals than anything based on SSH.

Best Regards,
--
Todd H.
http://www.toddh.net/
.

Relevant Pages

  • Re: Looking for program that emails me when dhcp addr changes
    ... For SSH all you need forwarded is TCP Port 22... ... >>participate in TCP connections or UDP conversations it initiates but ...
    (comp.security.ssh)
  • Re: ssh and vnc problem
    ... but also SSH connections have a source port> 1024. ... I hope your firewall does not block ...
    (comp.security.ssh)
  • Re: Looking for program that emails me when dhcp addr changes
    ... > LA> Neither my ssh info or man route says mentions about how to ssh in ... >participate in TCP connections or UDP conversations it initiates but ... >The sheer ugliness of NAT is breathtaking. ... Any other connections besides port 22 I need to address? ...
    (comp.security.ssh)
  • Re: Port Forwarding
    ... I'm using SecureCRT 5.2.1 and i want to make ssh tunnel to access some ... I have to access Host 2, but to get to host 2 i have to first access ... Is there a way of doing it on SecureCRT? ... pick a port to use locally. ...
    (comp.security.ssh)
  • Re: Port Forwarding -- Checking to be sure I understand it
    ... They run an ssh ... server and VNC service. ... If you want to run the tunnel over some port other than 22 (the ... restrictive firewalls that deny all incoming connections and block most ...
    (comp.security.ssh)