MAN page from RedHat EL 3 sslh-1.11-1.el3.rf.i386.rpm
sslh - ssl/ssh multiplexer
sslh [ -t num
] [-p listening address
[-p listening address
...] [--ssl target address for SSL
] [--ssh target address for SSH
] [--openvpn target address for OpenVPN
] [--http target address for HTTP
] [-u username
] [-P pidfile
] [-v] [-i] [-V] [-f] [-n]
, OpenVPN, tinc and XMPP
connections on the same port. This makes it possible toconnect to any of these servers on port 443 (e.g. frominside a corporate firewall, which almost never block port443) while still serving HTTPS
on that port.
The idea is to have sslh listen to the external 443 port,accept the incoming connections, work out what type ofconnection it is, and then fordward to the appropriateserver.
The protocol detection is made based on the first bytes sentby the client: SSH
connections start by identifying eachother's versions using clear text ``SSH-2
.0'' strings (orequivalent version strings). This is defined in RFC4253
,4.2. Meanwhile, OpenVPN clients start with 0x00 0x0D 0x38,tinc clients start with ``0 '', and XMPP
client start with apacket containing ``jabber''.
Additionally, two kind of SSH clients exist: the clientwaits for the server to send its version string (``Shy''client, which is the case of OpenSSH and Putty), or theclient sends its version first (``Bold'' client, which is thecase of Bitvise Tunnelier and ConnectBot).
sslh waits for some time for the incoming connection tosend data. If it stays quiet after the timeout period, it isassumed to be a shy SSH client, and is connected to the SSHserver. Otherwise, sslh reads the first packet the clientprovides, and connects it to the SSH server if it startswith ``SSH-'', or connects it to the SSL server otherwise.
One drawback of sslh
is that the ssh
servers do not see the original IP
address of the clientanymore, as the connection is forwarded through sslh
provides enough logging to circumvent that problem.However it is common to limit access to ssh
. For this reason, sslh
can becompiled to check SSH
accesses against SSH
access lists asdefined in /etc/hosts.allow
- -t num, --timeout num
- Timeout before a connection is considered to be SSH. Defaultis 2s.
- -p listening address, --listen listening address
- Interface and port on which to listen, e.g. foobar:443,where foobar is the name of an interface (typically theIP address on which the Internet connection ends up).
This can be specified several times to bind sslh toseveral addresses.
- --ssl target address
- Interface and port on which to forward SSL connection,typically localhost:443.
Note that you can set sslh to listen on ext_ip:443 andhttpd to listen on localhost:443: this allows clientsinside your network to just connect directly to httpd.
- --ssh target address
- Interface and port on which to forward SSH connections,typically localhost:22.
- --openvpn target address
- Interface and port on which to forward OpenVPN connections,typically localhost:1194.
- --xmpp target address
- Interface and port on which to forward XMPP connections,typically localhost:5222.
- --tinc target address
- Interface and port on which to forward tinc connections,typically localhost:655.
This is experimental. If you use this feature, please reportthe results (even if it works!)
- -v, --verbose
- Increase verboseness.
- -n, --numeric
- Do not attempt to resolve hostnames: logs will contain IPaddresses. This is mostly useful if the system's DNS is slowand running the sslh-select variant, as DNS requests willhang all connections.
- Prints sslh version.
- -u username, --user username
- Requires to run under the specified username.
- -P pidfile, --pid-file pidfile
- Specifies a file in which to write the PID of the mainserver.
- -i, --inetd
- Runs as an inetd server. Options -P (PID file), -p(listen address), -u (user) are ignored.
- -f, --foreground
- Runs in foreground. The server will not fork and will remain connectedto the terminal. Messages normally sent to syslog will also be sentto stderr.
- Start-up script. The standard actions start, stop andrestart are supported.
- Server configuration. These are environment variablesloaded by the start-up script and passed to sslh ascommand-line arguments. Refer to the OPTIONS section for adetailed explanation of the variables used by sslh.
Last version available from<http://www.rutschle.net/tech/sslh
>, and can be trackedfrom <http://freshmeat.net/projects/sslh/
Written by Yves Rutschle
- Protocol detection
- Libwrap support
- SEE ALSO
This document was created byman2html,using the manual pages.