[Techtalk] Horribly insecure ssh tunnel?

Conor Daly conor.daly at oceanfree.net
Tue Sep 10 21:49:51 EST 2002 

On Tue, Sep 10, 2002 at 12:37:24PM +0100 or so it is rumoured hereabouts, 
Maria Blackmore thought:
> On Tue, 10 Sep 2002, Sophie wrote:
> 
> > On Mon, Sep/ 9/02 02:10:25PM +0100, Conor Daly wrote:
> > > I have two networks I wish to connect with an ssh tunnel.  Each network is
> > > on a dialup dynamic ip address and, as far as I know, only my local isp
> > > allows a connection to my network on port 22.  My idea is to have my local
> > > network email its ip address to the remote network which will, in turn,
> > > connect back via ssh.
> > 
> > I've no input whatsoever regarding tunnels, but regarding using
> > dynamic IPs, you may find something like ath.cx (dyndhs.org) useful.
> > Your local network updates the dns server (which takes effect
> > instantly, from experience) whenever it's IP changes.
> 
> Not forgetting that the old information may well end up being cached by
> some name servers ..
> 
> If you were going to do it this way you would want to watch the ath.cx
> name servers directly
> 
> Wouldn't it be easier just to ask the ISPs in question for a statin IP
> address, at least for one of the sites
 
I had thought about dyndns before but I figured that was more suited to
the sort of dynamic ip address you might get with your cable modem that
would persist over days or longer.  I'm on a 56k dialup where my ip
address will change at each dialup and, since I'm in Ireland where
internet access is at the stage that most of the rest of Europe was at
five years ago, access is billed by the minute so connections are of short
duration.  One possibility is to upload my ip address to a web page and
have the remote network do likewise.  Then, when a connection is required,
the client need only pull the ip from the web and use it for ssh.  This
would make it less easy for someone to spoof the ip address.

As for a static ip, given Ireland's primitive state of the art, static ips
are not easy to come by (unless you're willing to pay handsomely for
technology that other countries have moved on from two generations ago!).
I'm lucky to get a routable ip address when I connect at all rather than a
192.168.x.x routed through the ISP's NAT server.  The closest Ireland has
to "flat rate" internet access is a 150 hour/month capped evenings and
weekends only 56k dialup service costing about EUR30 per month which is 
about what many Europeans pay for 516k ADSL 24/7!

(Hush now!  Stop whining!)

> > > It seems to me that authentication is the problem.
> > 
> > Possibly ssh-agent would be useful to you also?
> 
> The problem with ssh-agent is that you need to supply the passphrase at
> some point.

Given that this server will be taken down nightly (it will be in Malawi,
Africa where there are significant concerns about the quality of the mains
power, spikes, brownouts and regular thunderstorms come as standard), the
passphrase would need to be entered each morning.

> You could just use an RSA keypair with no passphrase, provided that the
> machine holding the private key was sufficiently secured.  Also
> remembering to use a keypair that is not the "regular" keypair might be an
> idea to consider (using the -i option to specify).

Unfortunately, I have no idea how physically secure the box will be (I'm
inclined to think not...).  I hope to make it reasonably secure network
wise (I'm beginning to think I should keep a clone here at home and post
out weekly update CDs since it'll be on a 56k dialup also so downloading
updates might not be an option...).

At the same time, the no passphrase keypair option has its possibilities.
I could do something along the lines of:

Home server				Remote server
email request for link...

					use passphraseless keypair to make
					ssh connection back to home server
					and initiate ppp link.  Deny
					access via this link except for...

Use passphrase secured keypair to
authenticate across ppp link and 
request access...

					If authenticated correctly, open
					link for access, otherwise
					terminate connection...

The initial passphraseless keypair can be locked down at my end to the single
function of starting the ppp link and won't be available for other uses.
The second pass phrase secured keypair will be used to authenticate and
the link will deny any access other than that interaction until the
authentication is successfull (in fact, that could simply be a firewall
that allows only ssh through since ssh is pretty much all I would expect
to use at the distance...)

Of course, it _is_ possible that the remote ISP already allows port 22
through to its dialup clients.  In that case, All I need do is "ssh
remote.hosts.ip.addr" (using suitably secured keypairs of course) and I'm
in!  But I won't know that until the server is already there and
connected...  It might be a worthwhile exercise to send out a bootable
linux CD to be loaded on an existing MS Win98 box out there.  To have that
connect to the internet, email me it's ip and listen on port 22 for an ssh
connect would help me a lot but that involves the effort of actually
building such a bootable CD as well ( the linuxcare Bootable Business Card
is quite suited to this kind of thing...).
 
Conor
-- 
Conor Daly <conor.daly at oceanfree.net>

Domestic Sysadmin :-)
---------------------
Faenor.cod.ie
  9:07pm  up 11 days,  1:35,  0 users,  load average: 0.08, 0.02, 0.01
Hobbiton.cod.ie
  9:07pm  up 11 days,  1:16,  1 user,  load average: 0.09, 0.08, 0.02

More information about the Techtalk mailing list