(sslh) VPN over SSH: State of the art?

Jan Bergner jan.bergner at indurad.com
Fri Jan 4 22:50:28 AEDT 2019 


Am 04.01.19 um 12:20 schrieb Thomas Güttler:

> Hi Jan and other ssh-experts,
> 
> yes, I that's not what I had in mind. But why not? I think it is a valid
> solution.
> 
> I am a bit afraid: If setting it up fails, we loose control over our
> remote machines,
> since ssh is the only permanent connection we have.
> 
> Thank you,
>   Thomas

I see your point. Remote work on a production system always makes my
heart beat faster, too. ^^
Some safeguards would come to my mind, but I cannot really make a
suggestion, since any such procedure should be something that you
yourself feel comfortable with. So, let me just give you some ideas.
However, Only attempt one of these, if you are sure what you are doing!

* A temporary second SSH-Service could be launched on another port. This
port could be forwarded to a second SSH server by using Remote-Forwarding.

* If you can access your server via Browser, you could temporarily set
up a webshell like this:
https://github.com/shellinabox/shellinabox
Using the LOGIN-parameter, you would be completely independent of SSH.
(While you could still remote-forward your web port to another SSH
server, if it were firewalled.)
You should notice, that SSLH could also multiplex HTTPs and OpenVPN. So,
if you have an open port 443 for HTTPs, you could use this one and not
touch your SSH at all.

* You could make a backup of your machines' configs. Then, you build a
dead man's switch. To do this, you might start a screen as root user and
do something like:
sleep 5m ; some_command_to_restore_system_from_backup ; reboot
Then, you start that sequence and detach the screen. Now, you can try to
set up the system as you need it and apply your changes. If you loose
your connection, you just wait, until the sleep-command inside the
screen ends and the restore-command kicks in.

Personally, I think that the first solution would be the easiest one,
the second solution would be the safest one and the third solution would
be the fastest one.
Should you find none of them suitable, you might wanna go back to your
original VPN-over-SSH-approach. (You'd have to wait for someone else's
advise in this case. I don't have any experience with this part of SSH.)


Good luck and best regards,
Jan




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20190104/e614e429/attachment-0001.asc>

More information about the openssh-unix-dev mailing list