> Jeffrey Ross wrote: >> >> >> Konstantin Svist wrote: >>> >> I've never tried using chroot for anything but to handle the ssh issue >> have the user enter the command: >> >> ssh -R 12345:127.0.0.1:22 username@yourhost >> >> have the user login. At this point you can enter: >> >> ssh -p 12345 username@xxxxxxxxx >> >> where usename is the username on your clients machine. >> >> If you want to take it one step further you can enter: >> >> ssh -D 4567 -p 12345 username@xxxxxxxxx >> >> now your local machine is running as if its a socks proxy and any >> software that can be told to use a proxy will be able to connect to >> the remote network, set the proxy host to be 127.0.0.1 and the port to >> be 4567 (you can adjust the port if you like) >> >> What I do for my own use is use the "-D" option and a program I found >> called "connect" >> http://www.taiyo.co.jp/~gotoh/ssh/connect.c >> and then put in ~/.ssh/config these two lines: >> >> host 10.* >> ProxyCommand /usr/local/bin/connect -4 -S 127.0.0.1:4567 %h %p >> >> you can do "host *.foo.com" as well and it will match anything in the >> .foo.com domain. >> >> Now every time I type "ssh username@xxxxxxxx" it automatically proxies >> my connection if the ssh tunnel is up. >> >> Jeff > > Doesn't allowing the other user to create an SSH tunnel lower your > security? They might append a -L option (when they do ssh -R) and - > presto - they have unfirewalled access to your ports. Granted, this is > usually not an issue when users on the other side are newbies - but if > you get used to this technique and use it when it's not safe... you get > the point > I didn't say it provided security, it does allow you to get around firewalls and NAT translations. It also shows that a firewall should not be your only line of defense as it can easily be defeated by well intentioned uses.
