scp -S, sftp -S
Frederik Eaton
frederik at a5.repetae.net
Fri Aug 5 03:14:45 EST 2005
> ...
> >I found that nesting ssh as I described works fine (except that you need
> >a wrapper script to manage the task of quoting your command properly).
>
> I don't follow: with the example I gave, a multi-hop ssh works exactly
> the same as a single-hop.
By "nesting ssh" I'm referring to my method which you reproduce below,
i.e. passing an ssh command to ssh.
> >Does your version have lower latency or something?
>
> The main thing it gives you is a guaranteed end-to-end SSH connection
> and thus:
> a) a verifyable host key on *your* client, thus no MITM.
> b) 8-bit clean
> c) no quoting problems
> d) no managing local port numbers, no chance of collision.
>
> >I guess my version
> >puts some extra encryption burden on the firewall, and doesn't have
> >end-end encryption, so if you don't trust the firewall operator...
>
> I'm guessing you do the the equivalent of "ssh -t hosta ssh hostb"? If
> so then you're vulnerable to snooping and/or MITM at each of the
> intermediate hops since the traffic is fully decrypted then passed to
> ssh for re-encryption. (I have heard of compromises of this configuration.)
>
> >Anyway, I do this often enough that I think I'll find my shorter
> >syntax quite useful. If necessary, the wrapper script can always be
> >modified to chain things with ProxyCommand instead of through the ssh
> >remote command arguments.
>
> Sure, do what works for you. I was just offering some options.
>
> --
> Darren Tucker (dtucker at zip.com.au)
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
> Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.
>
More information about the openssh-unix-dev
mailing list