stdio to port forward?
Darren Tucker
dtucker at zip.com.au
Mon May 24 19:25:22 EST 2004
Jefferson Ogata wrote:
>> ssh -o 'Proxycommand ssh bastion connect yourhost 22" yourhost
>
> It also fails, on its own, to allow port forwarding without giving the
> user a shell, which I understood to be one of the basic goals.
I didn't get the impression that it was one of the basic goals (and I
just re-read the original post and still don't). The thing that was
specifically mentioned was a trojaned ssh client on the bastion host,
which it will protect against since at worst (or best, depending on your
point of view :-) trojaning netcat would let you do a MITM attack. (How
the bastion host got trojaned in the first place is a separate issue.)
I never said it was ideal, just fast (to set up, that is).
That said, I think the the proposal would be useful since uses existing
capabilities of sshd and removes the need for another binary, running
process and, as you noted, a valid shell on the bastion host (although
you can mitigate that with a forced command, as djm noted).
> The fast option is to use SSL with client certificates. stunnel is
> handy for this.
You can do that, but it requires extra software on both client and
bastion host, and it's non-trivial to set up.
(BTW, if anyone wants to actually do this, see
http://groups.google.com/groups?selm=c28pnq%24dj4%241%40gate.dodgy.net.au
for one way.)
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list