March 17, 2026

Sshh… drama in the terminal

Article URL →HN comments →

SSH has no Host header

No “Host” in SSH? Clever fix or scary middleman vibes

TLDR: exe.dev routes SSH to your VM using shared IPs and your login key since SSH lacks a website-style “Host” hint. Commenters split between “just use ports,” fears of a risky middleman and key reuse, and questions about scaling—making this a trust-versus-convenience showdown for anyone who SSHs into the cloud

SSH doesn’t have a “Host” hint like the web, so exe.dev says it built a crafty workaround: a pool of shared IPv4s and a router that looks at which IP you used and which public key you present, then shuttles you to the right virtual machine. Neat in theory—and then the comments lit up like a server rack.

Skeptics swooped in first. One voice asked, essentially, why not just use different ports per machine—simple and obvious. A security-minded commenter called SSH itself “poorly designed,” teeing up a bigger mood: if the protocol is awkward, any workaround will be… spicy. Another linked to sshproxy and wondered if exe.dev sits in the middle, decrypting and re-encrypting—aka a “man in the middle.” Defenders countered with a shrug: you already trust the host when you rent a VM, so who cares if there’s a smart proxy in front.

Then the plot twist: someone noticed multiple gateway hosts sharing the same server key and asked the nuclear question—“So this is full MitM?” Others worried about scaling: if a user spins up many machines, do proxy IPs run out? Between jokes about “Sshh… it’s a secret proxy” and “port 22222 is fashion now,” this turned into a terminal telenovela. Verdict from the crowd: cool idea, but we want receipts on trust, keys, and how it holds up under load.

Key Points

  • exe.dev wants each VM accessible via a single domain for both HTTPS and SSH.
  • Sharing IPv4 among many VMs is easy for web traffic using the HTTP Host header but not for SSH, which lacks such a header.
  • Their solution uses a pool of public IPv4s and assigns each VM a unique IP relative to its owner.
  • During SSH connection, the client public key identifies the user; the {user, IP} tuple uniquely maps to a VM.
  • Implementing the SSH proxy and IP allocation required bespoke management and handling of NAT/VPC complexities.

Hottest takes

just assigning a ip + port per vm? — Eikon
many things about the protocol are <i>poorly designed</i> — dlenski
So this is full MitM? — krautsauer

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.