[sslh] sslh-1.14 (AE) released!

[Yves Rutschle]

On Thu, Dec 20, 2012 at 09:20:47PM +0000, Matt Smith wrote:
> Can you clarify these options for me? Am I right to think that
> --on-timeout defaults to "ssh" and is the service name to forward on
> connections that hit the timeout value? In which case I'm slightly
> confused by the usage text that says "[--on-timeout <addr>]". Is
> that <addr> supposed to be <name>?

Your assumption is correct, and in fact the man page read
[--on-timout <protocol name>].

I'll correct the help message.

> And if you can now change it to a different service like http or
> ssl, does that imply that there is now a way of detecting ssh with a
> probe rather than the timeout?

There always has been a --ssh option, which detects... ssh.

The thing about ssh is that clients get a choice of speaking
first (in which case the protocol will be detected by the
--ssh probe as any other protocol) or waiting until the
server speaks (in which case sslh will time out and branch
to either the --on-timeout-specified protocol or ssh by
default).

I guess I can clarify the man page somewhat.

> And for the --anyprot parameter. Is that now for if it detects
> something sent before the timeout, but it doesn't match any probes?

That's exactly right. It should also be specified last
(basically sslh tries probes in the order in which they're
specified, and --anyprot always succeeds).

> What happens if you don't include this parameter, which service does
> it then default to for this?

The first specified protocol, which I'll admit is entirely
arbitrary.

These last two points should be clear in the man page, I
think.

Cheers,
Y.