Xpra: Ticket #17: allow a chain of SSH hosts

Received this patch from Philip Marek.

This can be applied once tested, and since I have no need for it, no rush to test it. Feel free to test and provide a +1 and I'll apply it.



Wed, 07 Sep 2011 06:00:11 GMT - Antoine Martin: attachment set


Wed, 07 Sep 2011 06:33:12 GMT - Timo Juhani Lindfors:

If I read the patch correctly this effectively does

ssh -T host1 ssh -T host2 ... ssh -T hostN xpra_proxy ...

This is not very secure. It lets hosts 1 .. (N-1) see your traffic and your passwords (if you use password authentication). My ~/.ssh/config has

Host host2
 ProxyCommand ssh host1 netcat %h %p

which allows me to do simply do "ssh host2". In this setup host1 will only see encrypted traffic.


Wed, 07 Sep 2011 08:31:05 GMT - Antoine Martin: status changed

In principle, I am not necessarily against giving the ability to do dangerous things, in this case you would have to be using password authentication via an "untrusted" box: the attacker on that box would still need to be root - or at least the same uid? - to eavesdrop on the ssh pty used for sending the password.

It is a risk and a sub-optimal way of doing things, but as long as this is made clear to the user and does not break anything for anyone else (or endanger them in any way), I think this can be applied. But before that, it would require man page amendments...

Comments?


Mon, 26 Sep 2011 07:37:44 GMT - Timo Juhani Lindfors:

I think that doing this the secure way is almost as easy as the proposed patch.


Mon, 20 Feb 2012 19:16:11 GMT - Antoine Martin: milestone changed


Fri, 06 Apr 2012 09:38:09 GMT - bugmenot:

Being able to specify a string of -o 'ProxyCommand %s' would definitely be much more useful because you could also enable sending stuff over corporate HTTP proxies and the like - not to mention safer in the naive ssh use case because of the issue that lindi described.


Thu, 19 Apr 2012 07:20:50 GMT - Antoine Martin: status changed; resolution set

thought about it some more, I don't think that this belongs in xpra (similar reason to #111)


Sat, 23 Jan 2021 04:43:18 GMT - migration script:

this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/17