On Wed, Oct 10, 2018, 15:47 Anthony de Boer via talk <talk@gtalug.org> wrote:
Jason Shaw via talk wrote:
On Wed, Oct 10, 2018 at 3:06 PM Mike via talk <talk@gtalug.org> wrote:
That is, SSH to your other shell account, and instead of running your email program, run "ssh user@eugene...", and once connected to eugene, proceed as though you were connected directly.
This is a great recommendation and can be easily automated. In your personal ssh config, usually ~/.ssh/config you can add in:
Host *.dreamhost.com ProxyCommand ssh -q shellworld_host nc %h %p
Those suggestions are two very different things. Mike is suggesting SSH'ing to the shell on the intermediate box and then SSH'ing from it, while Jason is suggesting to SSH the intermediate and then use it to pipe an inner SSH connection through the outer SSH connection and emerge there for the onward hop to the destination.
Caveat for the first solution: it involves using your credentials on the intermediate box, so if anyone evil has compromised it they can now pop the destination box too.
Caveat for the second solution: the SSH conversation still involves the near-end client negotiating crypto with the far-end server, so if that started off being the problem it's still that problem. Also, the middle box might not have nc (netcat) installed but there are other tactics like LocalForward configuration that can do the same thing.
Ooh, you're absolutely right! I've been using this for sold that I didn't stop to think about how it actually works under the hood.
Such plumbing is often necessary for a variety of reasons. Just make
sure you know where you are. The commands "whoami", and "hostname" are often useful!
Great recommendation.