Re: scp -S, sftp -S

This is a discussion on Re: scp -S, sftp -S within the OpenSSH Development forums, part of the Networking and Network Related category; Frederik Eaton wrote: >>[...] >>If you have pubkey auth then it's pretty much transparent. >> &...


Go Back   Usenet Forums > Networking and Network Related > OpenSSH Development

Reload this Page Re: scp -S, sftp -S

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 08-04-2005
Darren Tucker
 
Posts: n/a
Default Re: scp -S, sftp -S
Frederik Eaton wrote:
>>[...]
>>If you have pubkey auth then it's pretty much transparent.
>>
>>You pay a price in multiple encryption (although you can mitigate this
>>by specifying a fast cipher like arcfour for the intermediate hops.)
>>
>>One day I'd like ssh to learn how to establish a single port forward and
>>pass the traffic to and from stdin/stdout, which would remove the need
>>to have connect/nc on the intermediate hosts (and the modified ssh would
>>only be required on the client end).
>
> I see. That would be nice. But why was 'connect' needed at all?

Because a proxycommand operates on stdio, you need to make a TCP
connection somehow. If ssh learns the above then it won't be necessary.

> I found that nesting ssh as I described works fine (except that you need
> a wrapper script to manage the task of quoting your command properly).

I don't follow: with the example I gave, a multi-hop ssh works exactly
the same as a single-hop.

> Does your version have lower latency or something?

The main thing it gives you is a guaranteed end-to-end SSH connection
and thus:
a) a verifyable host key on *your* client, thus no MITM.
b) 8-bit clean
c) no quoting problems
d) no managing local port numbers, no chance of collision.

> I guess my version
> puts some extra encryption burden on the firewall, and doesn't have
> end-end encryption, so if you don't trust the firewall operator...

I'm guessing you do the the equivalent of "ssh -t hosta ssh hostb"? If
so then you're vulnerable to snooping and/or MITM at each of the
intermediate hops since the traffic is fully decrypted then passed to
ssh for re-encryption. (I have heard of compromises of this configuration.)

> Anyway, I do this often enough that I think I'll find my shorter
> syntax quite useful. If necessary, the wrapper script can always be
> modified to chain things with ProxyCommand instead of through the ssh
> remote command arguments.

Sure, do what works for you. I was just offering some options.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://www.mindrot.org/mailman/listi...enssh-unix-dev
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 05:59 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0