[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Remote administration of a machine behind NAT



On Wed,10.Sep.08, 17:15:41, Chris Davies wrote:
> Andrei Popescu <andreimpopescu@gmail.com> wrote:
> > Maybe I'm dense, but I still don't see the benefits compared to a ssh 
> > tunnel.
> 
> You have already pointed out that you can't use an ssh tunnel.
> 
> Your mother's PC is behind at least one layer of NAT, so any connection
> must be instantiated from there. Start OpenVPN from your mother's PC
> and that will give you a *bi*directional tunnel between her PC and your
> server. You can use that bi-directional tunnel at your convenience to
> start a ssh session (vnc viewer, whatever) from your end /to/ her PC.
> (The OpenVPN connection makes the NAT difficulties irrelevant.)
> 
> I'm struggling to see how to explain it more simply, sorry.
 
Sorry, but I think you are missing my problem. I know how to build a 
*reverse* ssh tunnel (actually I already have it in place), where the 
connection is initiated by my mother (she has to connect the laptop to 
the internet anyway, one more click on a button calling a script is not 
a problem).

But how can I prevent a possible attacker to abuse this setup to access 
my laptop?

Right now that key

- goes to a dedicated user-account (which belongs to no group other that 
  its own
- the key is restricted via .ssh/authorized_keys as much as possible 
  (see the answer to myself)

Do you see any exploitable weakness in this approach?

Alos as I understand OpenVPN would only replace ssh with a different 
(but somewhat equivalent) technology. I don't see any added benefits 
compared to ssh. If I'm missing something please explain because I fail 
to see the difference.

Regards,
Andrei
-- 
If you can't explain it simply, you don't understand it well enough.
(Albert Einstein)

Attachment: signature.asc
Description: Digital signature


Reply to: