Conversations on my remote user/site problem
Ed Allen
era at jimani.com
Fri Jan 25 19:16:42 CST 2008
On Thu, Jan 24, 2008 at 05:23:50PM -0600, Oren Beck wrote:
> An idea I had was a script to capture the IP of the remote livedistro,-have
> it Email that to me and then telnet etc in
>
The problem with that is that telnet is not encrypted so it can be
sniffed at least and might be subject to being hijacked.
Never use telnet when ssh is available.
The script I posted to this list connects from the client machine so
that firewalls, most allow outgoing connections, will not interfere.
The script goes out to a server you control, logs in as
'resue01 at yourmachine.net' and adds the client's public key to the
.ssh/known_hosts file. After that logins to 'resue01 at yourmachine.net'
will not ask for a password.
It then uses this passwordless login to find the first open port in
the range 9110 through 9119, uses the open port to start an ssh port
forwarding listener. What that does is allow you to 'ssh -p9110
rescue at 127.0.0.1' which connects you, via the loopback interface
(127.0.0.1), to port 22 of the client machine.
Port 22 is ssh and responds to incoming connections (the ones blocked
by firewalls) and allows login as a non-root user.
So this allows punching through firewalls because both the outgoing login
to your server and the ssh tunnel back to the client box are encrypted
so those in charge of the firewalls do not know what you are doing and
are therefore unlikely to attempt blocking you or the client.
I add -X to the 'resue01 at yourmachine.net' so X programs can be started
on the client box but display on your screen (helps if you have a higher
resolution display than clients do, that way you see their entire screen
without needing to scroll).
I also add -C to use compression whenever it can because text
only uses between five and six bits of information for each byte
sent/recieved. (makes low speed links more useable)
I suggest that we set up a 'server' and a few 'clients' at the next
meeting on Feb 06. That way you can see that this complex to explain
operation runs extemely easily.
More information about the Kclug
mailing list