stdio to port forward?
Dan Kaminsky
dan at doxpara.com
Mon May 24 19:32:51 EST 2004
A user cannot configure their public keys with a server w/o access to
some sort of shell. Another reason to support a pubkey subsystem -- we
also get to avoid homegrown PHP flying around the file system with root
permissions updating authorized_keys files and getting away with it
because "ssl makes it se-kure" :-)
Also, an obvious disadvantage of the system below is that the client
can't direct its final destination. That makes it a no-go for most
bastion uses (what are you going to use -- a separate account for each
destination? A separate port?).
--Dan
Damien Miller wrote:
>Jefferson Ogata wrote:
>
>
>>Darren Tucker wrote:
>>
>>
>>
>>>Well, the "fast" option is to use connect/netcat:
>>>
>>>ssh -o 'Proxycommand ssh bastion connect yourhost 22" yourhost
>>>
>>>The disadvantage is you need connect or netcat on the bastion host. (I
>>>also had problems with netcat not exitting but apparently recent
>>>versions don't do that).
>>>
>>>
>>It also fails, on its own, to allow port forwarding without giving the user a
>>shell, which I understood to be one of the basic goals.
>>
>>
>
>One could use a authorized_keys file with command="nc host 22".
>
>If you don't trust the bastion, then you should definitely be using
>pubkey authentication anyway: it binds to the session id and thus the
>server's host key, making MITM nearly impossible (assuming the client
>already knows about the server's host key)
>
>-d
>
>_______________________________________________
>openssh-unix-dev mailing list
>openssh-unix-dev at mindrot.org
>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>
>
More information about the openssh-unix-dev
mailing list