[Techtalk] Horribly insecure ssh tunnel?

Conor Daly conor.daly at oceanfree.net
Wed Sep 11 16:28:12 EST 2002 

On Wed, Sep 11, 2002 at 10:51:18AM +0100 or so it is rumoured hereabouts, 
Sophie thought:
> On Tue, Sep/10/02 09:49:51PM +0100, Conor Daly wrote:
> >  
> > I had thought about dyndns before but I figured that was more suited to
> > the sort of dynamic ip address you might get with your cable modem that
> > would persist over days or longer.
> 
> From my experience, dyndns update instantly. at least, i've looked for a 
> delay, and it just dosent happen :) It really does work quite well.
> 
> There are some with noticable delays though, iirc dyn.dhs.org (who are 
> different to dyndns.org :) It seemed to take about half an hour for them. 
> This is from memory though, so I may be inaccurate. Also, I could, of 
> course, be totally wrong :)
> 
> > 192.168.x.x routed through the ISP's NAT server.  The closest Ireland has
> > to "flat rate" internet access is a 150 hour/month capped evenings and
> > weekends only 56k dialup service costing about EUR30 per month which is 
> > about what many Europeans pay for 516k ADSL 24/7!
> 
> Good grief! My sympathy
 
I know.  We're currently at the mercy of the telecoms monopoly (eircom) who 
refuse to offer anything other than per minute charging to other telcos who, 
in turn, cannot afford to offer flat-rate access to their customers.  One
telco, offered a flat rate evenings and weekends service (called "no
limits").  Many of their customers took them at their word and treated the
service as unlimited (still only 56k dialup).  Some time later, they
received letters from the telco saying they were "overusing" the service
and were "not using the service in the proper spirit" and that their
accounts were being terminated.  This for a service specifically called
"no limits"!  Fortunately, the situation looks like it's finally going to
change.  A number of telcos are now offering time-capped evening and weekend
flat rate services and they claim they are approaching an agreement with
the Eircomonopoly which will allow them to roll out 24/7 flat rate
"soon"...  Mind you, I'm not holding my breath, blue tinged lips don't
really suit me!
 
> > Given that this server will be taken down nightly (it will be in Malawi,
> > Africa where there are significant concerns about the quality of the mains
> > power, spikes, brownouts and regular thunderstorms come as standard), the
> > passphrase would need to be entered each morning.
> 
> But you could put the public key on the server in Malawi, and have your 
> machine (which I hope you trust!) connect to it? Keypairs with no passphrase 
> are useful for automation, too.
> 
> Something like, your home machine logs in to the remote server, runs 
> whatever will make that machine initiate a link and logs out again, leaving 
> the remove machine continuing to run the link stuff.
 
If I can do that, I have no need of all the rest.  What I need to be able
to do is to connect to the remote machine from home.  If their ISP allows
port 22 in to the remote machine, I'm cooking.  The problem only arises if
the initial ssh connection is not allowed through _to_ the remote machine
by its ISP.  In that case _it_ needs to initiate the connection...
 
> > Of course, it _is_ possible that the remote ISP already allows port 22
> > through to its dialup clients.  In that case, All I need do is "ssh
> > remote.hosts.ip.addr" (using suitably secured keypairs of course) and I'm
> > in!  But I won't know that until the server is already there and
> > connected...
> 
> Good grief... this is getting convoluted :)
> 
> You can have the sshd listen on port other than 22, also, if they block 
> that. The only reason I can see for anything more elaborate is if the remote 
> machine is NATed behind something.
 
That may be the solution I need...  I'm not sufficiently au fait with the
"standard" ports allowed through firewalls to choose a suitable one (I
wouldn't like the African ISP to suddenly decide there's a Subseven trojan
traversing their firewall!  The other possible objection is that I may not
be able to initiate a connection outbound on a high port through my work
firewall but then again, I wouldn't be able to have the remote machine
make a connection back to my work box either so that point is moot...

So, it's really only if the remote machine is behind a NAT server that
I'll need to have _it_ initiate any connections.
 
> > It might be a worthwhile exercise to send out a bootable
> > linux CD to be loaded on an existing MS Win98 box out there.  To have that
> > connect to the internet, email me it's ip and listen on port 22 for an ssh
> > connect would help me a lot but that involves the effort of actually
> > building such a bootable CD as well ( the linuxcare Bootable Business Card
> > is quite suited to this kind of thing...).
> 
> Or you could ask them to run a windows-based "firewall" for the sole purpose 
> of displaying attempted connections, so you can see that machine's 
> perspective...

Just brings to mind a website http://www.grc.com which has a "test your
shields" that will probe back to your IP address and report on what
ports it sees.  That might be just the thing to have the remote site do
for the initial info...

> good luck!

Thanks, I reckon I'll need it!

Conor
-- 
Conor Daly <conor.daly at oceanfree.net>

Domestic Sysadmin :-)
---------------------
Faenor.cod.ie
  4:03pm  up 11 days, 20:30,  0 users,  load average: 0.08, 0.02, 0.01
Hobbiton.cod.ie
  4:02pm  up 11 days, 20:11,  1 user,  load average: 0.11, 0.09, 0.06

More information about the Techtalk mailing list