From owner-freebsd-chat Wed Dec 17 14:24:08 1997 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.7/8.8.7) id OAA20370 for chat-outgoing; Wed, 17 Dec 1997 14:24:08 -0800 (PST) (envelope-from owner-freebsd-chat@FreeBSD.ORG) Received: from ns.mt.sri.com (sri-gw.MT.net [206.127.105.141]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id OAA19817 for ; Wed, 17 Dec 1997 14:18:59 -0800 (PST) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.8.8/8.8.8) with SMTP id PAA11137; Wed, 17 Dec 1997 15:18:53 -0700 (MST) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id PAA14340; Wed, 17 Dec 1997 15:18:47 -0700 Date: Wed, 17 Dec 1997 15:18:47 -0700 Message-Id: <199712172218.PAA14340@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Charles Mott Cc: Nate Williams , Marc Slemko , chat@FreeBSD.ORG Subject: Re: Support for secure http protocols In-Reply-To: References: <199712171926.MAA13503@mt.sri.com> X-Mailer: VM 6.29 under 19.15 XEmacs Lucid Sender: owner-freebsd-chat@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > remote host has sshd. If so, it redirects all traffic to that host > > > through port 22 using port forwarding. This builds on techniques which > > > already exist in natd and ppp -alias. > > > > Unfortunately, things don't work that way. The only time 'automatic' > > use of the old ports occur is on unix (not Wintel), and *only* when you > > are first setting up the connection (again, only on Unix.) This is > > intended as a replacement for rsh, which doesn't exist on Wintel boxes. > > I don't think you understand what I am talking about. See paragraph > below. I know what ssh does. I also know what tcp does. You've changed the subject. The original subject was supporting secure HTTP, and now we're dealing with a very specialized setup, and the point is that SSH won't work for the generic solution, and your comments imply that it would work. Now that we've changed the background, it *may* work, but I'm not convinced that the commercial SSH client for Windows is up to the task. I've spent the last couple of months dealing with the issues, so I'd like to think I have a clue here. (Not saying that you don't, but your comments imply to me that you don't have experience with the Wintel SSH client, or understand all that SSH attempts to solve and what it doesn't attempt to solve.) > What I don't know is whether port forwarding relationships can be > dynamically created and destroyed during a single ssh session. Probably > not, but desirable. Definitely not desirable due to security issues. And, if you allow port forwarding then you've got a security hole you can drive a truck through. ;( Nate