[GTALUG] dreamhost reply, is dh key exchange question.
Karen Lewellen
klewellen at shellworld.net
Fri Oct 12 12:58:49 EDT 2018
Hi Anthony,
One issue not covered with this back door is what happens if shellworld
itself is down? That happened for two weeks recently. If I used
shellworld to somehow reach dreamhost, and shellworld is compromised, I
personally end up with no electronic contact with the outside world
whatsoever.
I am likewise not personally comfortable tapping shellworld servers to
reach the dreamhost ones, I agree with you that the problem would likely
remain. More important though neither of these solutions provide a from
my desktop to my dreamhost shared account workspace solution which is a
must have here.
Thanks,
Karen
On Wed, 10 Oct 2018, Anthony de Boer via talk wrote:
> Jason Shaw via talk wrote:
>> On Wed, Oct 10, 2018 at 3:06 PM Mike via talk <talk at gtalug.org> wrote:
>>> That is, SSH to your other shell account, and instead of running your
>>> email program, run "ssh user at eugene...", and once connected to eugene,
>>> proceed as though you were connected directly.
>>
>> This is a great recommendation and can be easily automated. In your
>> personal ssh config, usually ~/.ssh/config you can add in:
>>
>> Host *.dreamhost.com
>> ProxyCommand ssh -q shellworld_host nc %h %p
>
> Those suggestions are two very different things. Mike is suggesting
> SSH'ing to the shell on the intermediate box and then SSH'ing from it,
> while Jason is suggesting to SSH the intermediate and then use it to
> pipe an inner SSH connection through the outer SSH connection and emerge
> there for the onward hop to the destination.
>
> Caveat for the first solution: it involves using your credentials on the
> intermediate box, so if anyone evil has compromised it they can now pop
> the destination box too.
>
> Caveat for the second solution: the SSH conversation still involves the
> near-end client negotiating crypto with the far-end server, so if that
> started off being the problem it's still that problem. Also, the middle
> box might not have nc (netcat) installed but there are other tactics
> like LocalForward configuration that can do the same thing.
>
>>> Such plumbing is often necessary for a variety of reasons. Just make
>>> sure you know where you are. The commands "whoami", and "hostname"
>>> are often useful!
>
> Setting the bash prompt to include the hostname is helpful. Always pause
> a moment to be sure where you are before typing commands like reboot,
> poweroff, and such. I've even known people to alias away commands like
> that on shared servers after inadvertently using them a time too many
> thinking they were on their test rig.
>
> --
> Anthony de Boer
> ---
> Talk Mailing List
> talk at gtalug.org
> https://gtalug.org/mailman/listinfo/talk
>
More information about the talk
mailing list