sshr: An SSH Proxy Server Responsive to System Changes without Forcing Clients to Change

Abstract

To respond to various requests from users, web service infrastructure must change system configurations quickly and flexibly without making users aware of the system configuration. However, because SSH used as a secure remote connection service to a server must send a connection request by specifying the IP address or hostname of the server, the SSH client must know the changed information when the IP address or hostname is changed. To overcome this difficulty, a method exists by which a client tool such as gcloud command obtains the IP address or hostname of the destination server based on unique label information of each server. However, this method requires restrictions and changes to the tools used by the client side. Another method is to use a proxy server, such as SSH Piper, to obtain the IP address or hostname of the destination server based on the SSH username. In existing SSH proxy servers, the source code must be changed directly to change the proxy server behavior. As described herein, we propose an SSH proxy server which can follow system changes using hook functions that can be incorporated by system administrators without requiring restrictions or changes to the clients. The proposed method has high extensibility for system changes because the proxy server behavior can be changed easily merely by modifying the hook function to be incorporated. Furthermore, using the proposed method confirmed that the overhead of establishing an SSH session is about 20 ms, which is a short time during which the SSH client does not feel a delay when logging into the server with SSH.