[Techtalk] Horribly insecure ssh tunnel?

Sophie sophie at cats.meow.at
Wed Sep 11 10:51:18 EST 2002 

On Tue, Sep/10/02 09:49:51PM +0100, Conor Daly wrote:
>  
> I had thought about dyndns before but I figured that was more suited to
> the sort of dynamic ip address you might get with your cable modem that
> would persist over days or longer.

>From my experience, dyndns update instantly. at least, i've looked for a delay, and it just dosent happen :) It really does work quite well.

There are some with noticable delays though, iirc dyn.dhs.org (who are different to dyndns.org :) It seemed to take about half an hour for them. This is from memory though, so I may be inaccurate. Also, I could, of course, be totally wrong :)


> One possibility is to upload my ip address to a web page and
> have the remote network do likewise.  Then, when a connection is required,
> the client need only pull the ip from the web and use it for ssh.  This
> would make it less easy for someone to spoof the ip address.

That works too, and has the same effect as using dns.


> 192.168.x.x routed through the ISP's NAT server.  The closest Ireland has
> to "flat rate" internet access is a 150 hour/month capped evenings and
> weekends only 56k dialup service costing about EUR30 per month which is 
> about what many Europeans pay for 516k ADSL 24/7!

Good grief! My sympathy


> > > Possibly ssh-agent would be useful to you also?
> > 
> > The problem with ssh-agent is that you need to supply the passphrase at
> > some point.
> 
> Given that this server will be taken down nightly (it will be in Malawi,
> Africa where there are significant concerns about the quality of the mains
> power, spikes, brownouts and regular thunderstorms come as standard), the
> passphrase would need to be entered each morning.

But you could put the public key on the server in Malawi, and have your machine (which I hope you trust!) connect to it? Keypairs with no passphrase are useful for automation, too.

Something like, your home machine logs in to the remote server, runs whatever will make that machine initiate a link and logs out again, leaving the remove machine continuing to run the link stuff.


> Of course, it _is_ possible that the remote ISP already allows port 22
> through to its dialup clients.  In that case, All I need do is "ssh
> remote.hosts.ip.addr" (using suitably secured keypairs of course) and I'm
> in!  But I won't know that until the server is already there and
> connected...

Good grief... this is getting convoluted :)

You can have the sshd listen on port other than 22, also, if they block that. The only reason I can see for anything more elaborate is if the remote machine is NATed behind something.


> It might be a worthwhile exercise to send out a bootable
> linux CD to be loaded on an existing MS Win98 box out there.  To have that
> connect to the internet, email me it's ip and listen on port 22 for an ssh
> connect would help me a lot but that involves the effort of actually
> building such a bootable CD as well ( the linuxcare Bootable Business Card
> is quite suited to this kind of thing...).

Or you could ask them to run a windows-based "firewall" for the sole purpose of displaying attempted connections, so you can see that machine's perspective...

good luck!

- sophie

More information about the Techtalk mailing list