...
> > By nature of the protocol it is not possible to proxy ssh like telnet or
> > ftp.
>
> I remember you saying this before, Kerry. From a linux list (can't
> remember which) I once got the distinct impression that there are
> proxies for ssh and it's possible, but I didn't follow it up. Or is
> the real problem not the proxying, but the charging?
You can't proxy ssh in the pure sense -- here's why:
With a standard proxy you connect to the proxy and then when
authenticated you connect to your destination. There are actually two
connections:
client -----> proxy -------> destination
^ ^
encrypted encrypted (or not maybe*)
* I see UCAR use a "proxy" and the second connection may be unencrypted
(http://www.ucar.edu/csac/userdocs/gatesshproxy.html)
You might think that you can use this method for ssh but consider this:
You do not connect direct to your host, you use an intermediary.
Between your connection to the proxy and the proxied connection to the
destination, your data must be unencrypted on the proxy and then
re-encrypted and resent to your actual destination. A hacker or
unethical sysadmin on the proxy can eavesdrop on your connection without
the hassle of having to go to the effort of cracking your encryption.
This is known as a 'man-in-the-middle' attack.
As for transparent proxies, this won't work either.
So you're left with either allowing ssh through and charging all the
connections to a host to a specific user code (same as web servers on
campus) or using a sandbox or "proxy" method as described above and take
the risk that no one is eavesdropping on the proxy.
Kerry.
