Re: Remote administration of a machine behind NAT

From: Andrei Popescu <andreimpopescu@xxxxxxxxx>
Date: Wed, 10 Sep 2008 20:58:21 +0300

On Wed,10.Sep.08, 17:15:41, Chris Davies wrote:

Andrei Popescu <andreimpopescu@xxxxxxxxx> wrote:

Maybe I'm dense, but I still don't see the benefits compared to a ssh
tunnel.

You have already pointed out that you can't use an ssh tunnel.

Your mother's PC is behind at least one layer of NAT, so any connection
must be instantiated from there. Start OpenVPN from your mother's PC
and that will give you a *bi*directional tunnel between her PC and your
server. You can use that bi-directional tunnel at your convenience to
start a ssh session (vnc viewer, whatever) from your end /to/ her PC.
(The OpenVPN connection makes the NAT difficulties irrelevant.)

I'm struggling to see how to explain it more simply, sorry.

Sorry, but I think you are missing my problem. I know how to build a
*reverse* ssh tunnel (actually I already have it in place), where the
connection is initiated by my mother (she has to connect the laptop to
the internet anyway, one more click on a button calling a script is not
a problem).

But how can I prevent a possible attacker to abuse this setup to access
my laptop?

Right now that key

- goes to a dedicated user-account (which belongs to no group other that
its own
- the key is restricted via .ssh/authorized_keys as much as possible
(see the answer to myself)

Do you see any exploitable weakness in this approach?

Alos as I understand OpenVPN would only replace ssh with a different
(but somewhat equivalent) technology. I don't see any added benefits
compared to ssh. If I'm missing something please explain because I fail
to see the difference.

Regards,
Andrei
--
If you can't explain it simply, you don't understand it well enough.
(Albert Einstein)

Attachment: signature.asc
Description: Digital signature

Follow-Ups:
- Re: Remote administration of a machine behind NAT
  - From: nate

References:
- Re: Remote administration of a machine behind NAT
  - From: Chris Davies

Prev by Date: Re: Remote administration of a machine behind NAT - VM for support
Next by Date: Re: Remote administration of a machine behind NAT - VM for support
Previous by thread: Re: Remote administration of a machine behind NAT
Next by thread: Re: Remote administration of a machine behind NAT
Index(es):
- Date
- Thread

Relevant Pages

Re: SSH TCP forwarding: works with v1, not with v2 ssh
... >that they're setting up the tunnels with no problem, ... >I can get to the work ssh daemon: ... > debug1: Entering interactive session. ... > Connection closed by foreign host. ...
(FreeBSD-Security)
Re: sftp over two connections
... from there I log onto LIN and I can work on the console. ... > X tunneling works as well, and I tunnel additional ports to control ... > connection be tunneled through SSH so that I could mount LIN's ...
(comp.security.ssh)
Re: PPP VPN solution over ssh tunnel?
... I run an ssh tunnel home from work all day long. ... I could run a traditional VPN connection ... but it worked for some things socks proxy did not. ...
(comp.os.linux.networking)
Re: What is The SSH?
... Building and Using SSH Tunnels ... What is an SSH tunnel? ... how to use it to make a connection to a server. ... You will need a working SSH client and server installation to build and test ...
(microsoft.public.windows.server.networking)
Re: Creating an encrypted tunnel for remote shares
... >> Yes you could use an IPSec connection to encapsulate your Samba ... > importance of encrypting the connection. ... You could also consider using something like openvpn to form a secure ... and ssl based tunnel between the two systems. ...
(alt.linux)