savannah-hackers-public
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-hackers-public] Re: ssh logins to lists.gnu.org


From: Bob Proulx
Subject: Re: [Savannah-hackers-public] Re: ssh logins to lists.gnu.org
Date: Fri, 23 Jan 2009 14:31:43 -0700
User-agent: Mutt/1.5.13 (2006-08-11)

Ward Vandewege wrote:
> If the inconvenience is simply having to jump through a machine to get to
> lists, you could use a .ssh/config stanza like this to automate it:
> 
>  Host lists
>    ProxyCommand ssh address@hidden -C $SSH_PROXY_FLAGS nc -w60 lists.gnu.org 
> 22

I have often had trouble with 'nc' not detecting connections closures
(apparently by design) and remaining around indefinitely and needing
to have the processes cleaned up by other means.  Because of this I
found nc to be less than great for this purpose.  Which was unfortunate.

I recommend using the 'connect' command instead.  It was designed
specificially for the purpose of use with ssh's ProxyCommand but is
also a useful general purpose tool.  Using connect the line would be:

  ProxyCommand ssh -qq address@hidden connect %h %p

For me -qq worked best because the outermost ssh would report the
error appropriately.  Having the subprocess ssh report errors too
created less helpful output.  YMMV.

The connect program is in the "connect-proxy" package.

However jumping through a secondary machine requires either forwarding
your ssh agent through the intermediate machine or typing in your
password for each connection.  Many people dislike forwarding their
agent onto secondary machines.  Requiring that the password be typed
in again and again isn't good for security either.

On the original topic, I also think that it isn't a problem to have
ssh access to lists from anywhere.  If the noise in the logfiles annoy
you then using 'fail2ban' works well to curb it.  But I am confident
that with reasonable passwords that brute force attacks cannot
succeed.  Restricting login to ssh rsa keys only would prevent any
worry at all that a brute force attacks and would be better than IP
restrictions.

Bob




reply via email to

[Prev in Thread] Current Thread [Next in Thread]