If Elliptic Curve DSA (ECSDA) is available and supported on both ends, it can be used by adding “-t ecdsa” to the ssh-keygen command. In addition to the obvious purpose of connecting to a remote laptop that moves around alot, I’ve used this technique to circumvent poorly configured firewalls and to bring ad-hoc servers in other countries online before jumping on a transpacific flight with only 30 minutes to implement a “vpn”.įirst step is to setup an authorized_keys file to allow logins for a private key, run the following on the client machine (Mac OS X laptop in my case). Furthermore, use the Mac OS X launchd correctly to create and maintain connections automatically, don’t fork the ssh client, rely on the launchd KeepAlive feature. Don’t pretend not allocating a pty is secure, it’s not, just prevents the obvious shell logins. If you don’t to execute, don’t execute anything. For example, people play tricks to avoid executing arbitrary commands by forcing ssh to execute something like /usr/bin/false. It will work behind NAT routers, but probably not behind strong corporate firewalls that only allow web proxy traffic out (something like corkscrew could help with this if you need it).Ī lot of other people have written guides about how to do this and have done it wrong. This phone home technique will work as long as the laptop can create an outgoing ssh connection. The following guide will enable me to connect to the laptop if I leave it at home, leave it at work, or in the unfortunate event that someone steals it and the thief defeats File Vault full disk encryption. I want to always be able to securely connect to my Mac Book Pro anywhere in the world.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |