Forum Discussion

Benoit_Durand_1's avatar
Icon for Nimbostratus rankNimbostratus
Feb 13, 2019

SSH Proxy - What do I need?

Greetings and thank you for your time. I have a server with an application which uses SSH to communicate with clients. That server can't be updated and presents vulnerabilities in the way it communicates with clients. I need to proxy that service on Big IP and be able to select/restrict ciphers and such so the security scans are clean. I do not need all the functionality of per-user control and such of the SSH_Proxy feature, just a proxy of the SSH connectivity so that proper security is presented client side while keeping the server side "insecure".


My questions:


  1. Do I need AFM to do this or can this be done strictly through LTM?


  2. I watched the F5 Wednesday Whiteboard video on SSH proxy and it mentions that the initial handshake is done from client to server directly and that BigIP kicks in as a man-in-the-middle afterwards. Wouldn't that defeat my requriement of presenting a clean security exchange with the client?


  3. Can client authentication (simple username/password, no client cert) be passed through to the backend server or does the SSH user authenticate to BigIP?


Essentially I'm looking for a way to do a simply proxy termination for an SSH service with the capability of presenting different ciphers to the client than those received from the server. I don't need to look inside the SSH stream. What would be the best way to accomplish that?


Thank you much :)


  • Ben

1 Reply

  • You can proceed with LTM, by creating a standard type of Virtual Server, which the users would target. Get an SSL certificate to create an SSL profile for the clients which want to connect to the VS (and in turn your server).The only communication going to your real server would be that of from the F5, so much of your security concerns can be met.