2013-07-10 17:10:43 -04:00
|
|
|
# I'm just not gonna write troff :-)
|
|
|
|
|
|
|
|
=head1 NAME
|
|
|
|
|
|
|
|
sslh - ssl/ssh multiplexer
|
|
|
|
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
|
2013-07-10 17:13:32 -04:00
|
|
|
sslh [ B<-t> I<num> ] [B<-p> I<listening address> [B<-p> I<listening address> ...] [B<-l> I<target address for SSL>] [B<-s> I<target address for SSH>] [B<-o> I<target address for OpenVPN>] [B<-u> I<username>] [B<-P> I<pidfile>] [-v] [-i] [-V] [-f] [-n]
|
2013-07-10 17:10:43 -04:00
|
|
|
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
|
2013-07-10 17:12:42 -04:00
|
|
|
B<sslh> accepts HTTPS, SSH and OpenVPN connections on the
|
|
|
|
same port. This makes it possible to connect to an SSH
|
|
|
|
server or an OpenVPN on port 443 (e.g. from inside a
|
|
|
|
corporate firewall, which almost never block port 443) while
|
|
|
|
still serving HTTPS on that port.
|
2013-07-10 17:10:43 -04:00
|
|
|
|
|
|
|
The idea is to have B<sslh> listen to the external 443 port,
|
|
|
|
accept the incoming connections, work out what type of
|
|
|
|
connection it is, and then fordward to the appropriate
|
|
|
|
server.
|
|
|
|
|
|
|
|
=head2 Protocol detection
|
|
|
|
|
2013-07-10 17:12:42 -04:00
|
|
|
The protocol detection is made based on the first bytes sent
|
|
|
|
by the client: SSH connections start by identifying each
|
|
|
|
other's versions using clear text "SSH-2.0" strings (or
|
|
|
|
equivalent version strings). This is defined in RFC4253,
|
|
|
|
4.2. Meanwhile, OpenVPN clients start with 0x00 0x0D 0x38.
|
|
|
|
|
|
|
|
Additionally, two kind of SSH clients exist: the client
|
|
|
|
waits for the server to send its version string ("Shy"
|
|
|
|
client, which is the case of OpenSSH and Putty), or the
|
|
|
|
client sends its version first ("Bold" client, which is the
|
|
|
|
case of Bitvise Tunnelier and ConnectBot).
|
|
|
|
|
|
|
|
B<sslh> waits for some time for the incoming connection to
|
|
|
|
send data. If it stays quiet after the timeout period, it is
|
|
|
|
assumed to be a shy SSH client, and is connected to the SSH
|
|
|
|
server. Otherwise, B<sslh> reads the first packet the client
|
|
|
|
provides, and connects it to the SSH server if it starts
|
|
|
|
with "SSH-", or connects it to the SSL server otherwise.
|
2013-07-10 17:10:43 -04:00
|
|
|
|
|
|
|
=head2 Libwrap support
|
|
|
|
|
|
|
|
One drawback of B<sslh> is that the B<ssh> and B<httpd>
|
|
|
|
servers do not see the original IP address of the client
|
|
|
|
anymore, as the connection is forwarded through B<sslh>.
|
|
|
|
B<sslh> provides enough logging to circumvent that problem.
|
|
|
|
However it is common to limit access to B<ssh> using
|
|
|
|
B<libwrap> or B<tcpd>. For this reason, B<sslh> can be
|
|
|
|
compiled to check SSH accesses against SSH access lists as
|
|
|
|
defined in F</etc/hosts.allow> and F</etc/hosts.deny>.
|
|
|
|
|
|
|
|
=head1 OPTIONS
|
|
|
|
|
|
|
|
=over 4
|
|
|
|
|
2013-07-10 17:13:32 -04:00
|
|
|
=item B<-t> I<num>, B<--timeout> I<num>
|
2013-07-10 17:10:43 -04:00
|
|
|
|
|
|
|
Timeout before a connection is considered to be SSH. Default
|
|
|
|
is 2s.
|
|
|
|
|
2013-07-10 17:13:32 -04:00
|
|
|
=item B<-p> I<listening address>, B<--listen> I<listening address>
|
2013-07-10 17:10:43 -04:00
|
|
|
|
|
|
|
Interface and port on which to listen, e.g. I<foobar:443>,
|
|
|
|
where I<foobar> is the name of an interface (typically the
|
|
|
|
IP address on which the Internet connection ends up).
|
|
|
|
|
2013-07-10 17:13:32 -04:00
|
|
|
This can be specified several times to bind B<sslh> to
|
|
|
|
several addresses.
|
2013-07-10 17:10:43 -04:00
|
|
|
|
2013-07-10 17:13:32 -04:00
|
|
|
=item B<--ssl> I<target address>
|
2013-07-10 17:10:43 -04:00
|
|
|
|
|
|
|
Interface and port on which to forward SSL connection,
|
|
|
|
typically I<localhost:443>.
|
|
|
|
|
|
|
|
Note that you can set B<sslh> to listen on I<ext_ip:443> and
|
|
|
|
B<httpd> to listen on I<localhost:443>: this allows clients
|
|
|
|
inside your network to just connect directly to B<httpd>.
|
|
|
|
|
2013-07-10 17:13:32 -04:00
|
|
|
=item B<--ssh> I<target address>
|
|
|
|
|
|
|
|
Interface and port on which to forward SSH connections,
|
|
|
|
typically I<localhost:22>.
|
|
|
|
|
|
|
|
=item B<--openvpn> I<target address>
|
2013-07-10 17:10:43 -04:00
|
|
|
|
2013-07-10 17:13:32 -04:00
|
|
|
Interface and port on which to forward OpenVPN connections,
|
|
|
|
typically I<localhost:1194>.
|
2013-07-10 17:10:43 -04:00
|
|
|
|
2013-07-10 17:13:32 -04:00
|
|
|
=item B<--tinc> I<target address>
|
2013-07-10 17:12:42 -04:00
|
|
|
|
2013-07-10 17:13:32 -04:00
|
|
|
Interface and port on which to forward tinc connections,
|
|
|
|
typically I<localhost:655>.
|
2013-07-10 17:12:42 -04:00
|
|
|
|
2013-07-10 17:13:32 -04:00
|
|
|
This is experimental. If you use this feature, please report
|
|
|
|
the results (even if it works!)
|
|
|
|
|
|
|
|
=item B<-v>, B<--verbose>
|
2013-07-10 17:10:43 -04:00
|
|
|
|
|
|
|
Increase verboseness.
|
|
|
|
|
2013-07-10 17:13:32 -04:00
|
|
|
=item B<-n>, B<--numeric>
|
|
|
|
|
|
|
|
Do not attempt to resolve hostnames: logs will contain IP
|
|
|
|
addresses. This is mostly useful if the system's DNS is slow
|
|
|
|
and running the I<sslh-select> variant, as DNS requests will
|
|
|
|
hang all connections.
|
|
|
|
|
2013-07-10 17:10:43 -04:00
|
|
|
=item B<-V>
|
|
|
|
|
|
|
|
Prints B<sslh> version.
|
|
|
|
|
2013-07-10 17:13:32 -04:00
|
|
|
=item B<-u> I<username>, B<--user> I<username>
|
2013-07-10 17:10:43 -04:00
|
|
|
|
|
|
|
Requires to run under the specified username. Defaults to
|
|
|
|
I<nobody> (which is not perfect -- ideally B<sslh> should
|
|
|
|
run under its own UID).
|
|
|
|
|
2013-07-10 17:13:32 -04:00
|
|
|
=item B<-P> I<pidfile>, B<--pid-file> I<pidfile>
|
2013-07-10 17:10:43 -04:00
|
|
|
|
|
|
|
Specifies the file in which to write the PID of the main
|
|
|
|
server. Defaults to I</var/run/sslh.pid>.
|
|
|
|
|
2013-07-10 17:13:32 -04:00
|
|
|
=item B<-i>, B<--inetd>
|
2013-07-10 17:11:40 -04:00
|
|
|
|
|
|
|
Runs as an I<inetd> server. Options B<-P> (PID file), B<-p>
|
2013-07-10 17:12:42 -04:00
|
|
|
(listen address), B<-u> (user) are ignored.
|
|
|
|
|
2013-07-10 17:13:32 -04:00
|
|
|
=item B<-f>, B<--foreground>
|
2013-07-10 17:12:42 -04:00
|
|
|
|
|
|
|
Runs in foreground. The server will not fork and will remain connected
|
|
|
|
to the terminal. Messages normally sent to B<syslog> will also be sent
|
|
|
|
to I<stderr>.
|
2013-07-10 17:11:40 -04:00
|
|
|
|
2013-07-10 17:10:43 -04:00
|
|
|
=back
|
|
|
|
|
|
|
|
=head1 FILES
|
|
|
|
|
|
|
|
=over 4
|
|
|
|
|
|
|
|
=item F</etc/init.d/sslh>
|
|
|
|
|
|
|
|
Start-up script. The standard actions B<start>, B<stop> and
|
|
|
|
B<restart> are supported.
|
|
|
|
|
|
|
|
=item F</etc/default/sslh>
|
|
|
|
|
2013-07-10 17:11:40 -04:00
|
|
|
Server configuration. These are environment variables
|
2013-07-10 17:10:43 -04:00
|
|
|
loaded by the start-up script and passed to B<sslh> as
|
|
|
|
command-line arguments. Refer to the OPTIONS section for a
|
|
|
|
detailed explanation of the variables used by B<sslh>.
|
|
|
|
|
|
|
|
=back
|
|
|
|
|
|
|
|
=head1 SEE ALSO
|
|
|
|
|
|
|
|
Last version available from
|
|
|
|
L<http://www.rutschle.net/tech/sslh>, and can be tracked
|
|
|
|
from L<http://freshmeat.net/projects/sslh/>.
|
|
|
|
|
|
|
|
=head1 AUTHOR
|
|
|
|
|
|
|
|
Written by Yves Rutschle
|