[GTALUG] dreamhost reply, is dh key exchange question.

Anthony de Boer adb at adb.ca
Wed Oct 10 15:47:31 EDT 2018


Jason Shaw via talk wrote:
> On Wed, Oct 10, 2018 at 3:06 PM Mike via talk <talk at gtalug.org> wrote:
> > That is, SSH to your other shell account, and instead of running your
> > email program, run "ssh user at eugene...", and once connected to eugene,
> > proceed as though you were connected directly.
> 
> This is a great recommendation and can be easily automated.  In your
> personal ssh config, usually ~/.ssh/config you can add in:
> 
> Host *.dreamhost.com
>         ProxyCommand ssh -q shellworld_host nc %h %p

Those suggestions are two very different things.  Mike is suggesting
SSH'ing to the shell on the intermediate box and then SSH'ing from it,
while Jason is suggesting to SSH the intermediate and then use it to
pipe an inner SSH connection through the outer SSH connection and emerge
there for the onward hop to the destination.

Caveat for the first solution: it involves using your credentials on the
intermediate box, so if anyone evil has compromised it they can now pop
the destination box too.

Caveat for the second solution: the SSH conversation still involves the
near-end client negotiating crypto with the far-end server, so if that
started off being the problem it's still that problem.  Also, the middle
box might not have nc (netcat) installed but there are other tactics
like LocalForward configuration that can do the same thing.

> > Such plumbing is often necessary for a variety of reasons.  Just make
> > sure you know where you are.  The commands "whoami", and "hostname"
> > are often useful!

Setting the bash prompt to include the hostname is helpful.  Always pause
a moment to be sure where you are before typing commands like reboot,
poweroff, and such.  I've even known people to alias away commands like
that on shared servers after inadvertently using them a time too many
thinking they were on their test rig.

-- 
Anthony de Boer


More information about the talk mailing list