scp -S, sftp -S
dtucker at zip.com.au
Fri Aug 5 02:56:57 EST 2005
Frederik Eaton wrote:
>>If you have pubkey auth then it's pretty much transparent.
>>You pay a price in multiple encryption (although you can mitigate this
>>by specifying a fast cipher like arcfour for the intermediate hops.)
>>One day I'd like ssh to learn how to establish a single port forward and
>>pass the traffic to and from stdin/stdout, which would remove the need
>>to have connect/nc on the intermediate hosts (and the modified ssh would
>>only be required on the client end).
> I see. That would be nice. But why was 'connect' needed at all?
Because a proxycommand operates on stdio, you need to make a TCP
connection somehow. If ssh learns the above then it won't be necessary.
> I found that nesting ssh as I described works fine (except that you need
> a wrapper script to manage the task of quoting your command properly).
I don't follow: with the example I gave, a multi-hop ssh works exactly
the same as a single-hop.
> Does your version have lower latency or something?
The main thing it gives you is a guaranteed end-to-end SSH connection
a) a verifyable host key on *your* client, thus no MITM.
b) 8-bit clean
c) no quoting problems
d) no managing local port numbers, no chance of collision.
> I guess my version
> puts some extra encryption burden on the firewall, and doesn't have
> end-end encryption, so if you don't trust the firewall operator...
I'm guessing you do the the equivalent of "ssh -t hosta ssh hostb"? If
so then you're vulnerable to snooping and/or MITM at each of the
intermediate hops since the traffic is fully decrypted then passed to
ssh for re-encryption. (I have heard of compromises of this configuration.)
> Anyway, I do this often enough that I think I'll find my shorter
> syntax quite useful. If necessary, the wrapper script can always be
> modified to chain things with ProxyCommand instead of through the ssh
> remote command arguments.
Sure, do what works for you. I was just offering some options.
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev