git ssb - cel/sslh@44f02ddf39a9d4c338dae207cfd1fb6bc6bfd1e0

📄	ChangeLog
📄	Makefile
📄	README
📁	scripts
📄	sslh.c
📄	sslh.pod

README

1 ===== sslh -- A ssl/ssh multiplexer. =====
2 
3 sslh lets one accept both HTTPS and SSH connections on the
4 same port. It makes it possible to connect to an SSH server
5 on port 443 (e.g. from inside a corporate firewall) while
6 still serving HTTPS on that port. 
7 
8 ==== Compile and install ====
9 
10 If you're lucky, the Makefile will work for you:
11 
12 make install
13 
14 (see below for configuration hints)
15 
16 
17 Otherwise:
18 
19 Compilation instructions (the binary produced won't contain
20 the version number, which is stored only in the Makefile)
21 
22 Solaris:
23   cc -o sslh sslh.c -lresolv -lsocket -lnsl
24 
25 LynxOS:
26   gcc -o tcproxy tcproxy.c -lnetinet
27 
28 Linux:
29   cc -o sslh sslh.c -lnet
30 or:
31   cc -o sslh sslh.c
32 
33 To compile with libwrap support:
34   cc -o sslh -DLIBWRAP sslh.c -lwrap
35 
36 To install:
37 
38 make
39 cp sslh /usr/local/sbin
40 cp scripts/etc.default.sslh /etc/default/sslh
41 
42 For Debian:
43 cp scripts/etc.init.d.sslh /etc/init.d/sslh
44 For CentOS:
45 cp scripts/etc.rc.d.init.d.sslh /etc/rc.d/init.d/sslh
46 
47 and probably create links in /etc/rc<x>.d so that the server
48 start automatically at boot-up, e.g. under Debian:
49 update-rc.d sslh defaults
50 
51 
52 
53 ==== Configuration ====
54 
55 You can edit settings in /etc/default/sslh:
56 
57 LISTEN=ifname:443
58 SSH=localhost:22
59 SSL=localhost:443
60 
61 A good scheme is to use the external name of the machine in
62 $LISTEN, and bind httpd to localhost:443 (instead of all
63 binding to all interfaces): that way, https connections
64 coming from inside your network don't need to go through
65 sslh, and sslh is only there as a frontal for connections
66 coming from the internet.
67 
68 Note that 'external name' in this context refers to the
69 actual IP address of the machine as seen from your network,
70 i.e. that that is not 127.0.0.1 in the output of
71 ifconfig(8).
72 
73 ==== Libwrap support ====
74 
75 Sslh can optionnaly perform libwrap checks for the sshd
76 service: because the connection to sshd will be coming
77 locally from sslh, sshd cannot determine the IP of the
78 client.
79 
80 ==== OpenVPN support ====
81 
82 OpenVPN clients reportedly take more than one second between
83 the time the TCP connexion is established and the time they
84 send the first data packet. This results in sslh with
85 default settings timing out and assuming an SSH connexion.
86 To support OpenVPN connexions reliably, it is necessary to
87 increase sslh's timeout to 5 seconds.
88 
89 ==== IP_TPROXY support ====
90 
91 There is a netfilter patch that adds an option to the Linux
92 TCP/IP stack to allow a program to set the source address
93 of an IP packet that it sends. This could let sslh set the
94 address of packets to that of the actual client, so that
95 sshd would see and log the IP address of the client, making
96 sslh transparent.
97 
98 This is not, and won't be, implemented in sslh for the
99 following reasons (in increasing order of importance):
100 
101   * It's not vital: the real connecting IP address can be
102     found in logs. Little gain.
103   * It's Linux only: it means increased complexity for no
104     gain to some users.
105   * It's a patch: it means it'd only be useful to Linux
106     users who compile their own kernel.
107   * Only root can use the feature: that's a definite no-no.
108     Sslh should not, must not, will never run as root.
109 
110 This isn't to mean that it won't eventually get implemented,
111 when/if the feature finds its way into the main kernel and
112 it becomes usuable by non-root processes.
113 
114 
115 Comments? questions? sslh@rutschle.net
116

Built with git-ssb-web

1	===== sslh -- A ssl/ssh multiplexer. =====
2
3	sslh lets one accept both HTTPS and SSH connections on the
4	same port. It makes it possible to connect to an SSH server
5	on port 443 (e.g. from inside a corporate firewall) while
6	still serving HTTPS on that port.
7
8	==== Compile and install ====
9
10	If you're lucky, the Makefile will work for you:
11
12	make install
13
14	(see below for configuration hints)
15
16
17	Otherwise:
18
19	Compilation instructions (the binary produced won't contain
20	the version number, which is stored only in the Makefile)
21
22	Solaris:
23	cc -o sslh sslh.c -lresolv -lsocket -lnsl
24
25	LynxOS:
26	gcc -o tcproxy tcproxy.c -lnetinet
27
28	Linux:
29	cc -o sslh sslh.c -lnet
30	or:
31	cc -o sslh sslh.c
32
33	To compile with libwrap support:
34	cc -o sslh -DLIBWRAP sslh.c -lwrap
35
36	To install:
37
38	make
39	cp sslh /usr/local/sbin
40	cp scripts/etc.default.sslh /etc/default/sslh
41
42	For Debian:
43	cp scripts/etc.init.d.sslh /etc/init.d/sslh
44	For CentOS:
45	cp scripts/etc.rc.d.init.d.sslh /etc/rc.d/init.d/sslh
46
47	and probably create links in /etc/rc<x>.d so that the server
48	start automatically at boot-up, e.g. under Debian:
49	update-rc.d sslh defaults
50
51
52
53	==== Configuration ====
54
55	You can edit settings in /etc/default/sslh:
56
57	LISTEN=ifname:443
58	SSH=localhost:22
59	SSL=localhost:443
60
61	A good scheme is to use the external name of the machine in
62	$LISTEN, and bind httpd to localhost:443 (instead of all
63	binding to all interfaces): that way, https connections
64	coming from inside your network don't need to go through
65	sslh, and sslh is only there as a frontal for connections
66	coming from the internet.
67
68	Note that 'external name' in this context refers to the
69	actual IP address of the machine as seen from your network,
70	i.e. that that is not 127.0.0.1 in the output of
71	ifconfig(8).
72
73	==== Libwrap support ====
74
75	Sslh can optionnaly perform libwrap checks for the sshd
76	service: because the connection to sshd will be coming
77	locally from sslh, sshd cannot determine the IP of the
78	client.
79
80	==== OpenVPN support ====
81
82	OpenVPN clients reportedly take more than one second between
83	the time the TCP connexion is established and the time they
84	send the first data packet. This results in sslh with
85	default settings timing out and assuming an SSH connexion.
86	To support OpenVPN connexions reliably, it is necessary to
87	increase sslh's timeout to 5 seconds.
88
89	==== IP_TPROXY support ====
90
91	There is a netfilter patch that adds an option to the Linux
92	TCP/IP stack to allow a program to set the source address
93	of an IP packet that it sends. This could let sslh set the
94	address of packets to that of the actual client, so that
95	sshd would see and log the IP address of the client, making
96	sslh transparent.
97
98	This is not, and won't be, implemented in sslh for the
99	following reasons (in increasing order of importance):
100
101	* It's not vital: the real connecting IP address can be
102	found in logs. Little gain.
103	* It's Linux only: it means increased complexity for no
104	gain to some users.
105	* It's a patch: it means it'd only be useful to Linux
106	users who compile their own kernel.
107	* Only root can use the feature: that's a definite no-no.
108	Sslh should not, must not, will never run as root.
109
110	This isn't to mean that it won't eventually get implemented,
111	when/if the feature finds its way into the main kernel and
112	it becomes usuable by non-root processes.
113
114
115	Comments? questions? sslh@rutschle.net
116

cel / sslh