1

I've asked this on another SE site, but I don't think I was clear enough. So, I will try it here. As an example - I have 2 domains (acme.com, ajax.com). Both resolve to my single static IP. Meanwhile, my router routes all port 22 traffic (SSH) to a Linux server (192.168.1.21). What I would like to do (if this is possible) is to make acme.com THE url for SSH. I realize all of the traffic is routed to .21 (the router doesn't know about names), but is there some way to instruct Linux to reject port 22 requests when the name requested is ajax.com? In other words, is there any way to ask Linux to see the entire request?

Or perhaps the SSHd can do this? (shot in the dark)

Thanks in advance for any advice.

aserwin
  • 148
  • 1
  • 6
  • Typically you are not supposed to re-post identical questions on SE, it violates the FAQ for SF and many of the other SE sites as well. Do you mind providing a link to the old question please? – Brent Pabst Aug 02 '12 at 22:55
  • Please do not cross-post. If a question should be on a different site we can migrate it. I've requested your other question be closed as this one has a better answer. – Chris S Aug 03 '12 at 00:20

1 Answers1

4

No.

When you ssh to acme.com, clients PC resolves it to an IP address, and ssh just connects to that IP. It never sends the domain name to the sshd on the server.

mulaz
  • 10,472
  • 1
  • 30
  • 37
  • When traffic comes into the server on port 80, the daemon parses the request by name. You can have several domain names coming to the same IP address... Why can't SSH read this information? – aserwin Aug 02 '12 at 23:03
  • Yes, but webservers are not ssh. With webservers it's practical (economical) to have more then one page on one server, and to separate them with vhosts. With ssh you usually dont need separation.. there is no practical need for it (except security-through-obscurity). – mulaz Aug 02 '12 at 23:09
  • BTW, virtualhosts are not that old, and AFAIK virtualhosts with ssl are/were still unsupported with IE on WinXP. – mulaz Aug 02 '12 at 23:10
  • Security is what I crave... but that is my point. The information is there, in the request... I just have a hard time believing there is no way I can get at it. – aserwin Aug 02 '12 at 23:14
  • @aserwin To parse on name info the name info needs to be send in the first place. That just is not standard. HTTP is the weird one out. – Hennes Aug 02 '12 at 23:15
  • I guess I don't understand that... Does the router know to pass the name? Or does that happen at the DNS level? (I didn't think DNS knew about port) – aserwin Aug 02 '12 at 23:19
  • 1
    Your browser also sends the "Host" (the domain) in the request (starting from http 1.1 i think). SSH doesnt. Very old browsers dont. Ftp doesnt. VPN's dont. bittorrent doesnt. ping doesnt. .... – mulaz Aug 02 '12 at 23:27
  • 2
    @aserwin: In the HTTP case, it's handled by the HTTP protocol. DNS and the router have nothing to do with it. The SSH protocol has nothing comparable, so there's no way to do it with SSH. The information is just never sent. – David Schwartz Aug 02 '12 at 23:29
  • @DavidSchwartz that makes a lot more sense. The protocol itself. I had noticed that I can telnet to a web site on port 80 and get the same information as I can when I browse to it with a web browser... Thanks for that. – aserwin Aug 02 '12 at 23:35
  • Turns out it might be possible after all! http://serverfault.com/questions/329529/virtual-hosts-for-ssh – aserwin Aug 02 '12 at 23:45
  • @aserwin That's a horrid question, running two different services on different ports isn't even close to the same things as virtual hosts. If you ran two copies of Apache with different websites, one on port 80 and the other on 81 nobody would know to put the "81" in the address and for practical purposes it wouldn't be usable. The "Answer" to that question talks about setting up a SSH gateway, which still isn't the same, it's just creating a second connection based on username (which caries plenty of problems and unexpected behavior). – Chris S Aug 03 '12 at 00:24
  • @Chris S - I am not talking about running more than one service... I am talking about limiting the ways one can get to a service. – aserwin Aug 03 '12 at 01:24
  • And I am not sure I am buying the argument that the name isn't sent. You can clearly see that logging into a linux system via SSH, when prompted for you password, you are identified as 'username@ip' OR 'username@name'... so CLEARLY SSH has some idea of how it was accessed. – aserwin Aug 03 '12 at 01:36
  • "I am not sure I am buying the argument that the name isn't sent" - Ok, [here's the source code repository](http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/), read the code for yourself if you don't believe us. That prompt is client side too, the server has no idea what the client program is doing at that time. – Chris S Aug 03 '12 at 01:43
  • That prompt is a program on the server called login, which is launched by a program called getty. It is not client side. – aserwin Aug 03 '12 at 02:03