[Techtalk] Horribly insecure ssh tunnel?

Maria Blackmore mariab at cats.meow.at
Tue Sep 10 12:37:24 EST 2002


On Tue, 10 Sep 2002, Sophie wrote:

> On Mon, Sep/ 9/02 02:10:25PM +0100, Conor Daly wrote:
> > I have two networks I wish to connect with an ssh tunnel.  Each network is
> > on a dialup dynamic ip address and, as far as I know, only my local isp
> > allows a connection to my network on port 22.  My idea is to have my local
> > network email its ip address to the remote network which will, in turn,
> > connect back via ssh.
> 
> I've no input whatsoever regarding tunnels, but regarding using
> dynamic IPs, you may find something like ath.cx (dyndhs.org) useful.
> Your local network updates the dns server (which takes effect
> instantly, from experience) whenever it's IP changes.

Not forgetting that the old information may well end up being cached by
some name servers ..

If you were going to do it this way you would want to watch the ath.cx
name servers directly

Wouldn't it be easier just to ask the ISPs in question for a statin IP
address, at least for one of the sites

> > It seems to me that authentication is the problem.
> 
> Possibly ssh-agent would be useful to you also?

The problem with ssh-agent is that you need to supply the passphrase at
some point.

You could just use an RSA keypair with no passphrase, provided that the
machine holding the private key was sufficiently secured.  Also
remembering to use a keypair that is not the "regular" keypair might be an
idea to consider (using the -i option to specify).

To do this, you can generate your keypair with ssh-keygen, it will prompt
you for a passphrase, which will be blank in this case, and where to put
the keypair.  Once you have the keypair, copy the public key found in the
contents of "identity.pub" (or whatever you called it) to
~/.ssh/authorized_keys on the remote machine (remembering to expand ~
manually, or specify an appropriate user, of course).  There you have it.


Maria




More information about the Techtalk mailing list