Quarter Life Crisis

The world according to Sven-S. Porst

« Non-Science MiscellaneaMainMedia consumption »

Tunnel Vision

587 words

Bill Bumgarner wrote a nice summary about what ssh port forwarding can be used for and how to do it. Not big news for me, since I've been using it for my e-Mail ever since I was shown how easily anybody on our residence's network at Warwick could find out my password using some simple network tool and a few clever regular expressions to filter it out of all the network traffic. There seem to be three things ssh helps you with:

  1. Your traffic will be encrypted for most of its journey. The ssh tunnel is like a mini VPN.
  2. You are able to access servers that may not be willing to serve you otherwise, typically SMTP servers.
  3. You are able to poke through firewalls that don't allow certain kinds of outgoing traffic. (Our departmental firewall doesn't allow outgoing POP traffic, for example)
Once you get the hand of the tunnelling business, it can be tremendously use- and helpful. However, I still find it demanding as far as ease of use is concerned. In many cases the course of action is pretty easy to figure out: Find the port number you want to access, choose a free port number on your own machine, know the machine to do the forwarding. Those are the informations you build the ssh command from. Why don't computers figure all this out automagically?

And why do we have to use ssh for this anyway? Isn't that what proxy servers would be for? Why is it that proxy servers for anything other than http or ftp never seem to have taken off? Even there, why does OmniWeb 4.0.3 (or so) seem to be the last web browser capable of choosing its proxy server based on the server you are trying to access?

Many questions. The major theme of them seems to be that the user has to worry about certain technicalities that he isn't really interested in. Why don't all protocols simply provide ways to authenticate the user and encrypt the transmission? Why don't firewalls simply tell the client to access some resource 'Sorry, can't do that. But I can offer to tunnel your request if you have the appropriate credentials.'?

To spin it in a positive way: I see a lot of room for improvement in this area. One little bit of improvement actually comes from Bill in the form of SSHPassKey. It ties ssh and the MacOS keychain together. For reasons I fail to understand – and which I consider a shortcoming of openssh rather than SSHPassKey – the technique it uses only works for connections that don't happen in a terminal window. Thanks to the joys of OpenSource, this can be remedied by editing those (1 to 3) lines in the source code of openssh that explicitly prevent this kind of thing.

Thanks to that little tweak I have all my ssh connections use the keychain, just like they did in MacOS9 courtesy of MacSSH. Couldn't Apple simply piece the bits together and provide that kind of comfort out of the box? Isn't Bill working for Apple now? (Yes, I am aware doing this doesn't fit Bill's job description... just pointing out the company has all the knowledge they need to pull this. I might send a 'bug' report to ADC.)

The remaining drawback about ssh tunnels is that they tend to die after a while of non-usage. Is there some kind of program that ensures the ssh connection is always open when it is needed?

June 13, 2003, 17:36

Trackback

Trackback “2003/06/14 13:45” from 2lmc spool:

Mac OS X ssh/KeyChain integration

September 9, 2003, 18:31

Comments

Comment by Richard Soderberg: User icon

The remaining drawback about ssh tunnels is that they tend to die after a while of non-usage. Is there some kind of program that ensures the ssh connection is always open when it is needed?
  (more)

If memory serves me correctly, there’s either builtin or third-party patch support for Keepalives in SSH — which would help keep your tunnels open. I can research this further, if you like.

As well, an interesting observation: I’m not allowed to use the CITE attribute of the BLOCKQUOTE tag in your posts.

June 16, 2003, 2:07

Comment by ssp: User icon

Thanks for the tip on keepalive. Unfortunately it’s not really what I had in mind. Having the mail checked at regular intervals will keep the connection alive just fine. However, sending the computer to sleep for a few hours or taking it to a different network will obviously break the connection. I made the problem more precise.

As for the comments… that’s all Movable Type’s magic, so I can’t really comment. Also, I don’t feel inclined to understand how it works.

June 16, 2003, 21:55

Add your comment

« Non-Science MiscellaneaMainMedia consumption »

Comments on

Photos

Categories

Me

This page

Out & About

pinboard Links

People

Ego-Linking