git ssb

0+

cel / sslh



Tree:
📄ChangeLog
📄Makefile
📄README
📁scripts
📄sslh.c
📄sslh.pod
README
1===== sslh -- A ssl/ssh multiplexer. =====
2
3sslh lets one accept both HTTPS and SSH connections on the
4same port. It makes it possible to connect to an SSH server
5on port 443 (e.g. from inside a corporate firewall) while
6still serving HTTPS on that port.
7
8==== Compile and install ====
9
10If you're lucky, the Makefile will work for you:
11
12make install
13
14(see below for configuration hints)
15
16
17Otherwise:
18
19Compilation instructions (the binary produced won't contain
20the version number, which is stored only in the Makefile)
21
22Solaris:
23 cc -o sslh sslh.c -lresolv -lsocket -lnsl
24
25LynxOS:
26 gcc -o tcproxy tcproxy.c -lnetinet
27
28Linux:
29 cc -o sslh sslh.c -lnet
30or:
31 cc -o sslh sslh.c
32
33To compile with libwrap support:
34 cc -o sslh -DLIBWRAP sslh.c -lwrap
35
36To install:
37
38make
39cp sslh /usr/local/sbin
40cp scripts/etc.default.sslh /etc/default/sslh
41
42For Debian:
43cp scripts/etc.init.d.sslh /etc/init.d/sslh
44For CentOS:
45cp scripts/etc.rc.d.init.d.sslh /etc/rc.d/init.d/sslh
46
47and probably create links in /etc/rc<x>.d so that the server
48start automatically at boot-up, e.g. under Debian:
49update-rc.d sslh defaults
50
51
52
53==== Configuration ====
54
55You can edit settings in /etc/default/sslh:
56
57LISTEN=ifname:443
58SSH=localhost:22
59SSL=localhost:443
60
61A good scheme is to use the external name of the machine in
62$LISTEN, and bind httpd to localhost:443 (instead of all
63binding to all interfaces): that way, https connections
64coming from inside your network don't need to go through
65sslh, and sslh is only there as a frontal for connections
66coming from the internet.
67
68Note that 'external name' in this context refers to the
69actual IP address of the machine as seen from your network,
70i.e. that that is not 127.0.0.1 in the output of
71ifconfig(8).
72
73==== Libwrap support ====
74
75Sslh can optionnaly perform libwrap checks for the sshd
76service: because the connection to sshd will be coming
77locally from sslh, sshd cannot determine the IP of the
78client.
79
80==== OpenVPN support ====
81
82OpenVPN clients reportedly take more than one second between
83the time the TCP connexion is established and the time they
84send the first data packet. This results in sslh with
85default settings timing out and assuming an SSH connexion.
86To support OpenVPN connexions reliably, it is necessary to
87increase sslh's timeout to 5 seconds.
88
89==== IP_TPROXY support ====
90
91There is a netfilter patch that adds an option to the Linux
92TCP/IP stack to allow a program to set the source address
93of an IP packet that it sends. This could let sslh set the
94address of packets to that of the actual client, so that
95sshd would see and log the IP address of the client, making
96sslh transparent.
97
98This is not, and won't be, implemented in sslh for the
99following reasons (in increasing order of importance):
100
101 * It's not vital: the real connecting IP address can be
102 found in logs. Little gain.
103 * It's Linux only: it means increased complexity for no
104 gain to some users.
105 * It's a patch: it means it'd only be useful to Linux
106 users who compile their own kernel.
107 * Only root can use the feature: that's a definite no-no.
108 Sslh should not, must not, will never run as root.
109
110This isn't to mean that it won't eventually get implemented,
111when/if the feature finds its way into the main kernel and
112it becomes usuable by non-root processes.
113
114
115Comments? questions? sslh@rutschle.net
116

Built with git-ssb-web