2013-07-10 17:10:43 -04:00
|
|
|
===== sslh -- A ssl/ssh multiplexer. =====
|
2013-07-10 17:09:40 -04:00
|
|
|
|
|
|
|
|
sslh lets one accept both HTTPS and SSH connections on the
|
|
|
|
|
same port. It makes it possible to connect to an SSH server
|
|
|
|
|
on port 443 (e.g. from inside a corporate firewall) while
|
|
|
|
|
still serving HTTPS on that port.
|
|
|
|
|
|
2013-07-10 17:10:43 -04:00
|
|
|
==== Compile and install ====
|
|
|
|
|
|
|
|
|
|
If you're lucky, the Makefile will work for you:
|
|
|
|
|
|
|
|
|
|
make install
|
|
|
|
|
|
|
|
|
|
(see below for configuration hints)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Otherwise:
|
2013-07-10 17:09:40 -04:00
|
|
|
|
2013-07-10 17:11:40 -04:00
|
|
|
Compilation instructions (the binary produced won't contain
|
|
|
|
|
the version number, which is stored only in the Makefile)
|
2013-07-10 17:09:40 -04:00
|
|
|
|
|
|
|
|
Solaris:
|
|
|
|
|
cc -o sslh sslh.c -lresolv -lsocket -lnsl
|
|
|
|
|
|
|
|
|
|
LynxOS:
|
|
|
|
|
gcc -o tcproxy tcproxy.c -lnetinet
|
|
|
|
|
|
|
|
|
|
Linux:
|
|
|
|
|
cc -o sslh sslh.c -lnet
|
|
|
|
|
or:
|
|
|
|
|
cc -o sslh sslh.c
|
|
|
|
|
|
|
|
|
|
To compile with libwrap support:
|
|
|
|
|
cc -o sslh -DLIBWRAP sslh.c -lwrap
|
|
|
|
|
|
|
|
|
|
To install:
|
|
|
|
|
|
|
|
|
|
make
|
|
|
|
|
cp sslh /usr/local/sbin
|
|
|
|
|
cp scripts/etc.default.sslh /etc/default/sslh
|
|
|
|
|
|
2013-07-10 17:11:40 -04:00
|
|
|
For Debian:
|
|
|
|
|
cp scripts/etc.init.d.sslh /etc/init.d/sslh
|
|
|
|
|
For CentOS:
|
|
|
|
|
cp scripts/etc.rc.d.init.d.sslh /etc/rc.d/init.d/sslh
|
|
|
|
|
|
2013-07-10 17:10:43 -04:00
|
|
|
and probably create links in /etc/rc<x>.d so that the server
|
|
|
|
|
start automatically at boot-up, e.g. under Debian:
|
|
|
|
|
update-rc.d sslh defaults
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
==== Configuration ====
|
|
|
|
|
|
2013-07-10 17:09:40 -04:00
|
|
|
You can edit settings in /etc/default/sslh:
|
|
|
|
|
|
|
|
|
|
LISTEN=ifname:443
|
|
|
|
|
SSH=localhost:22
|
|
|
|
|
SSL=localhost:443
|
|
|
|
|
|
|
|
|
|
A good scheme is to use the external name of the machine in
|
2013-07-10 17:10:43 -04:00
|
|
|
$LISTEN, and bind httpd to localhost:443 (instead of all
|
|
|
|
|
binding to all interfaces): that way, https connections
|
|
|
|
|
coming from inside your network don't need to go through
|
|
|
|
|
sslh, and sslh is only there as a frontal for connections
|
|
|
|
|
coming from the internet.
|
|
|
|
|
|
2013-07-10 17:11:40 -04:00
|
|
|
Note that 'external name' in this context refers to the
|
|
|
|
|
actual IP address of the machine as seen from your network,
|
|
|
|
|
i.e. that that is not 127.0.0.1 in the output of
|
|
|
|
|
ifconfig(8).
|
2013-07-10 17:10:43 -04:00
|
|
|
|
|
|
|
|
==== Libwrap support ====
|
2013-07-10 17:09:40 -04:00
|
|
|
|
|
|
|
|
Sslh can optionnaly perform libwrap checks for the sshd
|
|
|
|
|
service: because the connection to sshd will be coming
|
|
|
|
|
locally from sslh, sshd cannot determine the IP of the
|
|
|
|
|
client.
|
|
|
|
|
|
2013-07-10 17:11:40 -04:00
|
|
|
==== OpenVPN support ====
|
|
|
|
|
|
|
|
|
|
OpenVPN clients reportedly take more than one second between
|
|
|
|
|
the time the TCP connexion is established and the time they
|
|
|
|
|
send the first data packet. This results in sslh with
|
|
|
|
|
default settings timing out and assuming an SSH connexion.
|
|
|
|
|
To support OpenVPN connexions reliably, it is necessary to
|
|
|
|
|
increase sslh's timeout to 5 seconds.
|
|
|
|
|
|
|
|
|
|
==== IP_TPROXY support ====
|
2013-07-10 17:09:40 -04:00
|
|
|
|
2013-07-10 17:11:40 -04:00
|
|
|
There is a netfilter patch that adds an option to the Linux
|
|
|
|
|
TCP/IP stack to allow a program to set the source address
|
|
|
|
|
of an IP packet that it sends. This could let sslh set the
|
|
|
|
|
address of packets to that of the actual client, so that
|
|
|
|
|
sshd would see and log the IP address of the client, making
|
|
|
|
|
sslh transparent.
|
2013-07-10 17:09:40 -04:00
|
|
|
|
2013-07-10 17:11:40 -04:00
|
|
|
This is not, and won't be, implemented in sslh for the
|
|
|
|
|
following reasons (in increasing order of importance):
|
|
|
|
|
|
|
|
|
|
* It's not vital: the real connecting IP address can be
|
|
|
|
|
found in logs. Little gain.
|
|
|
|
|
* It's Linux only: it means increased complexity for no
|
|
|
|
|
gain to some users.
|
|
|
|
|
* It's a patch: it means it'd only be useful to Linux
|
|
|
|
|
users who compile their own kernel.
|
|
|
|
|
* Only root can use the feature: that's a definite no-no.
|
|
|
|
|
Sslh should not, must not, will never run as root.
|
|
|
|
|
|
|
|
|
|
This isn't to mean that it won't eventually get implemented,
|
|
|
|
|
when/if the feature finds its way into the main kernel and
|
|
|
|
|
it becomes usuable by non-root processes.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Comments? questions? sslh@rutschle.net
|
