[GTALUG] dreamhost reply, is dh key exchange question.

Karen Lewellen klewellen at shellworld.net
Fri Oct 12 12:58:49 EDT 2018


Hi Anthony,
One issue not covered with this back door is what happens if shellworld 
itself  is down?  That happened for two weeks recently.  If I used 
shellworld to somehow reach dreamhost,  and shellworld is compromised, I
personally end up with no electronic contact with the outside world 
whatsoever.
I am likewise not personally comfortable  tapping shellworld servers to 
reach the dreamhost ones, I agree with you that the problem would likely 
remain.  More important though neither of these solutions provide a from 
my desktop to my dreamhost shared  account workspace solution which is a 
must have here.

Thanks,
Karen




On Wed, 10 Oct 2018, Anthony de Boer via talk wrote:

> Jason Shaw via talk wrote:
>> On Wed, Oct 10, 2018 at 3:06 PM Mike via talk <talk at gtalug.org> wrote:
>>> That is, SSH to your other shell account, and instead of running your
>>> email program, run "ssh user at eugene...", and once connected to eugene,
>>> proceed as though you were connected directly.
>>
>> This is a great recommendation and can be easily automated.  In your
>> personal ssh config, usually ~/.ssh/config you can add in:
>>
>> Host *.dreamhost.com
>>         ProxyCommand ssh -q shellworld_host nc %h %p
>
> Those suggestions are two very different things.  Mike is suggesting
> SSH'ing to the shell on the intermediate box and then SSH'ing from it,
> while Jason is suggesting to SSH the intermediate and then use it to
> pipe an inner SSH connection through the outer SSH connection and emerge
> there for the onward hop to the destination.
>
> Caveat for the first solution: it involves using your credentials on the
> intermediate box, so if anyone evil has compromised it they can now pop
> the destination box too.
>
> Caveat for the second solution: the SSH conversation still involves the
> near-end client negotiating crypto with the far-end server, so if that
> started off being the problem it's still that problem.  Also, the middle
> box might not have nc (netcat) installed but there are other tactics
> like LocalForward configuration that can do the same thing.
>
>>> Such plumbing is often necessary for a variety of reasons.  Just make
>>> sure you know where you are.  The commands "whoami", and "hostname"
>>> are often useful!
>
> Setting the bash prompt to include the hostname is helpful.  Always pause
> a moment to be sure where you are before typing commands like reboot,
> poweroff, and such.  I've even known people to alias away commands like
> that on shared servers after inadvertently using them a time too many
> thinking they were on their test rig.
>
> -- 
> Anthony de Boer
> ---
> Talk Mailing List
> talk at gtalug.org
> https://gtalug.org/mailman/listinfo/talk
>


More information about the talk mailing list