Man page of SSLH
SSLH
Section: (8)
Updated: 2011-01-16
Index of this MAN page
Back To MAN Pages From BackTrack 5 R1 Master List
NAME
sslh - ssl/ssh multiplexer
SYNOPSIS
sslh [ -t num ] [-p listening address] [-l target address for SSL] [-s target address for SSH] [-u username] [-P pidfile] [-v] [-i] [-V] [-f]
DESCRIPTION
sslh lets one accept both HTTPS and SSH connections on
the same port. It makes it possible to connect to an SSH
server on port 443 (e.g. from inside a corporate firewall,
which almost never block port 443) while still serving HTTPS
on that port.
The idea is to have sslh listen to the external 443 port,
accept the incoming connections, work out what type of
connection it is, and then fordward to the appropriate
server.
Protocol detection
The protocol detection is made based on a small difference
between SSL and SSH: SSH connections start by identifying
each other's versions using clear text ``SSH-2.0'' strings (or
equivalent version strings). This is defined in RFC4253,
4.2.
Two cases can occur: The client waits for the server to
send its version string (``Shy'' client, which is the case of
OpenSSH and Putty), or the client sends its version first
(``Bold'' client, which is the case of Bitvise Tunnelier and
ConnectBot).
sslh waits for some time for the incoming connection to
send data. If it stays quiet after the timeout period, it is
assumed to be a shy SSH client, and is connected to the SSH
server. Otherwise, sslh reads the first packet the client
provides, and connects it to the SSH server if it starts
with ``SSH-'', or connects it to the SSL server otherwise.
Libwrap support
One drawback of sslh is that the ssh and httpd
servers do not see the original IP address of the client
anymore, as the connection is forwarded through sslh.
sslh provides enough logging to circumvent that problem.
However it is common to limit access to ssh using
libwrap or tcpd. For this reason, sslh can be
compiled to check SSH accesses against SSH access lists as
defined in /etc/hosts.allow and /etc/hosts.deny.
OPTIONS
- -t num
-
Timeout before a connection is considered to be SSH. Default
is 2s.
- -p listening address
-
Interface and port on which to listen, e.g. foobar:443,
where foobar is the name of an interface (typically the
IP address on which the Internet connection ends up).
Defaults to 0.0.0.0:443 (listen to port 443 on all
available interfaces).
- -l target address for SSL
-
Interface and port on which to forward SSL connection,
typically localhost:443.
Defaults to localhost:443 (this assumes you would
configure your httpd process to listen to port 443).
Note that you can set sslh to listen on ext_ip:443 and
httpd to listen on localhost:443: this allows clients
inside your network to just connect directly to httpd.
- -s target address for SSH
-
Interface and port on which to forward SSH connection,
defaults to localhost:22.
- -v
-
Increase verboseness.
- -V
-
Prints sslh version.
- -u username
-
Requires to run under the specified username. Defaults to
nobody (which is not perfect --- ideally sslh should
run under its own UID).
- -P pidfile
-
Specifies the file in which to write the PID of the main
server. Defaults to /var/run/sslh.pid.
- -i
-
Runs as an inetd server. Options -P (PID file), -p
(listen address), -u (user) are ignored.
- -f
-
Runs in foreground. The server will not fork and will remain connected
to the terminal. Messages normally sent to syslog will also be sent
to stderr.
FILES
- /etc/init.d/sslh
-
Start-up script. The standard actions start, stop and
restart are supported.
- /etc/default/sslh
-
Server configuration. These are environment variables
loaded by the start-up script and passed to sslh as
command-line arguments. Refer to the OPTIONS section for a
detailed explanation of the variables used by sslh.
SEE ALSO
Last version available from
<http://www.rutschle.net/tech/sslh>, and can be tracked
from <http://freshmeat.net/projects/sslh/>.
AUTHOR
Written by Yves Rutschle
Index
- NAME
-
- SYNOPSIS
-
- DESCRIPTION
-
- Protocol detection
-
- Libwrap support
-
- OPTIONS
-
- FILES
-
- SEE ALSO
-
- AUTHOR
-
This document was created by
man2html,
using the manual pages.
Time: 07:34:21 GMT, September 13, 2011