Michael,
[Only sending to leaf-user since the Addendum confused me.]
I will bite...
On Mon, 27 Jan 2003 12:33:51 EST Michael wrote:
> This is off-topic, but everyone here seems to understand SSH much
> better than I, so hopefully you won't mind answering a question I
> can't seem to unearth through the usually means of google, man
> pages, or HOWTOs.
>
> I would like to "chain" SSH sessions. (Or maybe that should be
> tunnel SSH through another SSH session?)
>
> This question came about
> during a happy hour discussion, "How do you maintain anonymity if
> you can't trust the first encryptor in the chain? (And you don't
> want to be seen using the second.)"
>
> Pictures always work best for me. . .
>
> [Client(me, PuTTY)] ->SSH A-> [Commercial Anonymizer] ->SSH B->
> [Private Anonymizer] --> [Proxy] --> [Web page]
>
> Desired behavior of this mess:
> [Commercial Anonymizer] can't read anything being sent.
> [Private Anonymizer] can read, but only knows traffic is coming
> from [Commercial Anonymizer].
> [Proxy] only knows traffic is coming from [Private Anonymizer].
> (but that's standard I think)
If I understand the goal correctly (and that's a big "if"), this
would achieve it:
ssh u1@bar -L 2200:baz:22 [-f sleep 10]
ssh u2@localhost -p 2200 -L 8080:proxy:80 [-f sleep 3600]
telnet localhost 8080
HEAD / HTTP/1.0
The optional "-f sleep"s are if you want to do all of this from
a single prompt and want the tunnels to stay open for an hour.
The first tunnel forwards localhost:2200 to baz:22 via bar.
(I made up the >1024 source ports for talking purposes.)
localhost:2200 --> bar:22--sshd-->bar:1112 --> baz:22
encrypted not encypted
The second ssh connection uses the tunnel established by the first
to create a second tunnel from localhost:8080 to proxy:80.
localhost:8080 --> tun1 --> baz:22--sshd-->baz:1113 --> proxy:80
encrypted not encypted
sshd on baz sees a connection attempt from bar:1112. sshd on
bar has decrypted access to data in first tunnel, but that data
is encrypted in second ssh connection, so bar (the commerical
anonymizer) can't read data from localhost:8080 to proxy:80.
Proxy sees connection from baz:1113 (the private anonymizer).
Is that what you were looking for?
--Brad
> Restrictions:
> You have no control over the [Commercial Anonymizer] and you might
> have control over the [Private Anonymizer]. (Well in our "scenario"
> we had anonymously bought a hosting package with SSH privileges for
> the [Private Anonymizer], so probably full control over the [Private
> Anonymizer] )
>
> Intellectual pursuits are sometimes more interesting than real work. . .
>
> Any answers would be great, as well as suggestions for alternate
> methods for accomplishing the same. Even just a link to where
> someone has already done it would be nice.
>
> Thank you,
> Michael
> These and many other completely off the wall discussions held every
> Friday at a local bar near us.
>
> --
> Addendum:
> Return address, [EMAIL PROTECTED]
> And remember sourceforge gets grumpy when you remove postmaster@
> to stomp spam. . .
-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
