SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG
DONATE




YUM REPOSITORY

 
 

MAN page from RedHat EL 5 sslh-1.11-1.el5.rf.x86_64.rpm

SSLH

Section: (8)
Updated: 2012-04-21
Index 

NAME

 sslh - ssl/ssh multiplexer
 

SYNOPSIS

sslh [ -t num ] [-p listening address [-p listening address ...] [--ssl target address for SSL] [--ssh target address for SSH] [--openvpn target address for OpenVPN] [--http target address for HTTP] [-u username] [-P pidfile] [-v] [-i] [-V] [-f] [-n] 

DESCRIPTION

sslh accepts HTTP, HTTPS, SSH, OpenVPN, tinc and XMPPconnections on the same port. This makes it possible toconnect to any of these servers on port 443 (e.g. frominside a corporate firewall, which almost never block port443) while still serving HTTPS on that port.

The idea is to have sslh listen to the external 443 port,accept the incoming connections, work out what type ofconnection it is, and then fordward to the appropriateserver. 

Protocol detection

The protocol detection is made based on the first bytes sentby the client: SSH connections start by identifying eachother's versions using clear text ``SSH-2.0'' strings (orequivalent version strings). This is defined in RFC4253,4.2. Meanwhile, OpenVPN clients start with 0x00 0x0D 0x38,tinc clients start with ``0 '', and XMPP client start with apacket containing ``jabber''.

Additionally, two kind of SSH clients exist: the clientwaits for the server to send its version string (``Shy''client, which is the case of OpenSSH and Putty), or theclient sends its version first (``Bold'' client, which is thecase of Bitvise Tunnelier and ConnectBot).

sslh waits for some time for the incoming connection tosend data. If it stays quiet after the timeout period, it isassumed to be a shy SSH client, and is connected to the SSHserver. Otherwise, sslh reads the first packet the clientprovides, and connects it to the SSH server if it startswith ``SSH-'', or connects it to the SSL server otherwise. 

Libwrap support

One drawback of sslh is that the ssh and httpdservers do not see the original IP address of the clientanymore, as the connection is forwarded through sslh.sslh provides enough logging to circumvent that problem.However it is common to limit access to ssh usinglibwrap or tcpd. For this reason, sslh can becompiled to check SSH accesses against SSH access lists asdefined in /etc/hosts.allow and /etc/hosts.deny. 

OPTIONS

-t num, --timeout num
Timeout before a connection is considered to be SSH. Defaultis 2s.
-p listening address, --listen listening address
Interface and port on which to listen, e.g. foobar:443,where foobar is the name of an interface (typically theIP address on which the Internet connection ends up).

This can be specified several times to bind sslh toseveral addresses.

--ssl target address
Interface and port on which to forward SSL connection,typically localhost:443.

Note that you can set sslh to listen on ext_ip:443 andhttpd to listen on localhost:443: this allows clientsinside your network to just connect directly to httpd.

--ssh target address
Interface and port on which to forward SSH connections,typically localhost:22.
--openvpn target address
Interface and port on which to forward OpenVPN connections,typically localhost:1194.
--xmpp target address
Interface and port on which to forward XMPP connections,typically localhost:5222.
--tinc target address
Interface and port on which to forward tinc connections,typically localhost:655.

This is experimental. If you use this feature, please reportthe results (even if it works!)

-v, --verbose
Increase verboseness.
-n, --numeric
Do not attempt to resolve hostnames: logs will contain IPaddresses. This is mostly useful if the system's DNS is slowand running the sslh-select variant, as DNS requests willhang all connections.
-V
Prints sslh version.
-u username, --user username
Requires to run under the specified username.
-P pidfile, --pid-file pidfile
Specifies a file in which to write the PID of the mainserver.
-i, --inetd
Runs as an inetd server. Options -P (PID file), -p(listen address), -u (user) are ignored.
-f, --foreground
Runs in foreground. The server will not fork and will remain connectedto the terminal. Messages normally sent to syslog will also be sentto stderr.
 

FILES

/etc/init.d/sslh
Start-up script. The standard actions start, stop andrestart are supported.
/etc/default/sslh
Server configuration. These are environment variablesloaded by the start-up script and passed to sslh ascommand-line arguments. Refer to the OPTIONS section for adetailed explanation of the variables used by sslh.
 

SEE ALSO

Last version available from<http://www.rutschle.net/tech/sslh>, and can be trackedfrom <http://freshmeat.net/projects/sslh/>. 

AUTHOR

Written by Yves Rutschle

 

Index

NAME
SYNOPSIS
DESCRIPTION
Protocol detection
Libwrap support
OPTIONS
FILES
SEE ALSO
AUTHOR
This document was created byman2html,using the manual pages.
  
impreza firmowa internet katowice