[GTALUG] dreamhost reply, is dh key exchange question.

Jason Shaw grazer at gmail.com
Wed Oct 10 15:53:16 EDT 2018


On Wed, Oct 10, 2018, 15:47 Anthony de Boer via talk <talk at gtalug.org>
wrote:

> Jason Shaw via talk wrote:
> > On Wed, Oct 10, 2018 at 3:06 PM Mike via talk <talk at gtalug.org> wrote:
> > > That is, SSH to your other shell account, and instead of running your
> > > email program, run "ssh user at eugene...", and once connected to eugene,
> > > proceed as though you were connected directly.
> >
> > This is a great recommendation and can be easily automated.  In your
> > personal ssh config, usually ~/.ssh/config you can add in:
> >
> > Host *.dreamhost.com
> >         ProxyCommand ssh -q shellworld_host nc %h %p
>
> Those suggestions are two very different things.  Mike is suggesting
> SSH'ing to the shell on the intermediate box and then SSH'ing from it,
> while Jason is suggesting to SSH the intermediate and then use it to
> pipe an inner SSH connection through the outer SSH connection and emerge
> there for the onward hop to the destination.
>
> Caveat for the first solution: it involves using your credentials on the
> intermediate box, so if anyone evil has compromised it they can now pop
> the destination box too.
>
> Caveat for the second solution: the SSH conversation still involves the
> near-end client negotiating crypto with the far-end server, so if that
> started off being the problem it's still that problem.  Also, the middle
> box might not have nc (netcat) installed but there are other tactics
> like LocalForward configuration that can do the same thing.
>

Ooh, you're absolutely right!  I've been using this for sold that I didn't
stop to think about how it actually works under the hood.

> > Such plumbing is often necessary for a variety of reasons.  Just make
> > > sure you know where you are.  The commands "whoami", and "hostname"
> > > are often useful!
>

Great recommendation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/talk/attachments/20181010/48e1f08d/attachment.html>


More information about the talk mailing list