NAME
sslh - ssl/ssh multiplexer
SYNOPSIS
sslh [ -t num ] [-p listening address] [-l target address for SSL] [-s
target address for SSH] [-u username] [-P pidfile] [-v] [-V]
DESCRIPTION
sslh lets one accept both HTTPS and SSH connections on the same port.
It makes it possible to connect to an SSH server on port 443 (e.g. from
inside a corporate firewall, which almost never block port 443) while
still serving HTTPS on that port.
The idea is to have sslh listen to the external 443 port, accept the
incoming connections, work out what type of connection it is, and then
fordward to the appropriate server.
Protocol detection
The protocol detection is made based on a small difference between SSL
and SSH: an SSL client connecting to a server speaks first, whereas an
SSH client expects the SSH server to speak first (announcing itself
with a banner). sslh waits for some time for the incoming connection to
send data. If it does before the timeout occurs, it is supposed to be
an SSL connection. Otherwise, it is supposed to be an SSH connection.
Libwrap support
One drawback of sslh is that the ssh and httpd servers do not see the
original IP address of the client anymore, as the connection is
forwarded through sslh. sslh provides enough logging to circumvent
that problem. However it is common to limit access to ssh using
libwrap or tcpd. For this reason, sslh can be compiled to check SSH
accesses against SSH access lists as defined in /etc/hosts.allow and
/etc/hosts.deny.
OPTIONS
-t num
Timeout before a connection is considered to be SSH. Default is 2s.
-p listening address
Interface and port on which to listen, e.g. foobar:443, where
foobar is the name of an interface (typically the IP address on
which the Internet connection ends up).
Defaults to 0.0.0.0:443 (listen to port 443 on all available
interfaces).
-l target address for SSL
Interface and port on which to forward SSL connection, typically
localhost:443.
Defaults to localhost:442 (this assumes you would configure your
httpd process to listen to port 443).
Note that you can set sslh to listen on ext_ip:443 and httpd to
listen on localhost:443: this allows clients inside your network to
just connect directly to httpd.
-s target address for SSH
Interface and port on which to forward SSH connection, defaults to
localhost:22.
-v Increase verboseness.
-V Prints sslh version.
-u username
Requires to run under the specified username. Defaults to nobody
(which is not perfect -- ideally sslh should run under its own
UID).
-P pidfile
Specifies the file in which to write the PID of the main server.
Defaults to /var/run/sslh.pid.
FILES
/etc/init.d/sslh
Start-up script. The standard actions start, stop and restart are
supported.
/etc/default/sslh
Server configuration. These are environement variables loaded by
the start-up script and passed to sslh as command-line arguments.
Refer to the OPTIONS section for a detailed explanation of the
variables used by sslh.
SEE ALSO
Last version available from <http://www.rutschle.net/tech/sslh>, and
can be tracked from <http://freshmeat.net/projects/sslh/>.
AUTHOR
Written by Yves Rutschle