Hi Anthony,
One issue not covered with this back door is what happens if shellworld
itself is down? That happened for two weeks recently. If I used
shellworld to somehow reach dreamhost, and shellworld is compromised, I
personally end up with no electronic contact with the outside world
whatsoever.
I am likewise not personally comfortable tapping shellworld servers to
reach the dreamhost ones, I agree with you that the problem would likely
remain. More important though neither of these solutions provide a from
my desktop to my dreamhost shared account workspace solution which is a
must have here.
Thanks,
Karen
On Wed, 10 Oct 2018, Anthony de Boer via talk wrote:
Jason Shaw via talk wrote:
On Wed, Oct 10, 2018 at 3:06 PM Mike via talk <[email protected]> wrote:
That is, SSH to your other shell account, and instead of running your
email program, run "ssh user@eugene...", and once connected to eugene,
proceed as though you were connected directly.
This is a great recommendation and can be easily automated. In your
personal ssh config, usually ~/.ssh/config you can add in:
Host *.dreamhost.com
ProxyCommand ssh -q shellworld_host nc %h %p
Those suggestions are two very different things. Mike is suggesting
SSH'ing to the shell on the intermediate box and then SSH'ing from it,
while Jason is suggesting to SSH the intermediate and then use it to
pipe an inner SSH connection through the outer SSH connection and emerge
there for the onward hop to the destination.
Caveat for the first solution: it involves using your credentials on the
intermediate box, so if anyone evil has compromised it they can now pop
the destination box too.
Caveat for the second solution: the SSH conversation still involves the
near-end client negotiating crypto with the far-end server, so if that
started off being the problem it's still that problem. Also, the middle
box might not have nc (netcat) installed but there are other tactics
like LocalForward configuration that can do the same thing.
Such plumbing is often necessary for a variety of reasons. Just make
sure you know where you are. The commands "whoami", and "hostname"
are often useful!
Setting the bash prompt to include the hostname is helpful. Always pause
a moment to be sure where you are before typing commands like reboot,
poweroff, and such. I've even known people to alias away commands like
that on shared servers after inadvertently using them a time too many
thinking they were on their test rig.
--
Anthony de Boer
---
Talk Mailing List
[email protected]
https://gtalug.org/mailman/listinfo/talk
---
Talk Mailing List
[email protected]
https://gtalug.org/mailman/listinfo/talk
