 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Le 2011-09-13 14:53, Orchid XP v8 a écrit :
> Oh, wait, you can set the remote display to not take up the whole
> screen, can't you?
>
Yes. I run my work laptop at 1440x900, but the screen sizes for my
remote desktops are 1152x864, so that I still have the contact list of
my work IM program and my local taskbar visible. Makes it easier to
switch from one server to the other, hunt for local files, chat with the
boss, or surf the internet while still keeping an occasional eye on the
Oracle indexes rebuilding themselves.
--
/*Francois Labreque*/#local a=x+y;#local b=x+a;#local c=a+b;#macro P(F//
/* flabreque */L)polygon{5,F,F+z,L+z,L,F pigment{rgb 9}}#end union
/* @ */{P(0,a)P(a,b)P(b,c)P(2*a,2*b)P(2*b,b+c)P(b+c,<2,3>)
/* gmail.com */}camera{orthographic location<6,1.25,-6>look_at a }
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Tue, 13 Sep 2011 19:48:55 +0100, Orchid XP v8 wrote:
> Let me rephrase: There are no SSH servers that are free software.
openssh is released under the GPL, and has been around for quite some
time now (certainly more than 5 years - I'd say more than a decade).
And there are versions that run on Windows - using cygwin or not.
Jim
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>>> You're off by two orders of magnitude. Most Cisco firewalls are in teh 5
>>> digit price tag.
>>
>> True. But not this particular one.
>>
>>
http://www.ebuyer.com/135532-cisco-asa-5505-firewall-edition-bundle-asa5505-50-bun-k9
>
> Ok. you got me. I usually don't deal with small-office/home-office gear.
I was surprised myself. Our network switches cost about 3x what every
other manufacturer wanted.
(I soon discovered, however, that these "switches" are actually just
24-port *routers*...)
>>> You don't need to be a Cisco Certified Internetwork Expert to figure it
>>> out. The Cisco manuals are usually pretty easy to follow, and freely
>>> available on their web site.
>>
>> Really? That might be worth reading...
>>
>
> This is a good place to start:
OK.
> Note: Even though Cisco firewall appliances are now called ASAs, their
> documentation still cals them PIXes all over the place.
Yeah, we've still got a PIX 506e in the corner. Though damned if I know
why; that thing was starting to become quite unreliable...
>> From what I've seen, you telnet into the router, enter a password, and
>> then enter lines of gibberish such as "enh eth gw all". You would
>> *definitely* need a manual to figure out WTH that actually means, or
>> what the name of the command you want is.
>
> Two things:
>
> First thing, typing ? at any point will list all the available commands
> at that point.
So... it's some kind of hierarchical menu system? (I had assumed that
all commands are available all the time.)
> Second thing, you don't have to enter gibberish. the commands are plain
> english words. They can be abbreviated for speed, but
>
> sh ip int fa0/0 bri
>
> Is exactly the same as typing
>
> show ip interface fastethernet0/0 brief
I see.
I'm guessing that unless you do this kind of thing all day, you'll
quickly forget what the name for each command is, and so you'll need the
manual open constantly. (I really hope the manuals contain more than
just a reference list of every command name and what it does...)
>> I'm still guessing that, between the configuration for routing to
>> multiple LANs, multiple VPN endpoints, and remote access, adding a line
>> that forwards SSH to a port on a desktop PC who's IP address is
>> configured via DHCP is probably going to take some doing. (!)
>
> Routing for the multiple lans actually comes straigh out of the box. You
> confiugre an ip address on all the interfaces and it will know that any
> packets it receives whose destination is on another lan interface, it
> will forward it (let's disregard security rules, for the moment!).
Even though there's only one connection from the firewall to the
(multiple) switches?
> Remote lans are handled the same way they would be on a Windows or Unix
> machine. By either configuring a routing protocol, or by adding static
> routes.
>
> On Windows, you'd type:
>
> route add 192.168.200.0 mask 255.255.255.0 192.168.1.1
1. I didn't know you could do that.
2. What does it do?
> VPN endpoints are not more complicated than on any other platform, but
> that's a bit like saying that changing the transmission of a Formula One
> is not more complicated than changing it on a Toyota... It may not Be
> for a complete noob.
Presumably you have to specify protocol types and encryption keys and so
forth...
> Allowing inbound ssh connections will need that PC to have a static NAT
> address, and therefore a static local IP address. Your Netgear or
> Linksys home router can work around this because it also acts as the
> DHCP server, so it knows to which MAC adress to send the traffic, but in
> an entreprise where the firewall is a separate piece of hardware, there
> is simply no way to do this.
Quite. The only way this could work is if you wanted to /temporarily/
forward SSH (probably on a different port number) to the IP address that
my desktop PC /currently/ has.
>> And we still have the minor issue that I don't have the password. :-P
>
> If you have physical access to the box, you can do a password recovery
I am *so* not trying this! :-D
Incidentally, I gather that there's two ways to control the ASA. One
involves telnet. The other involves a serial cable...
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 13/09/2011 10:01 PM, Darren New wrote:
> On 9/13/2011 11:45, Orchid XP v8 wrote:
>> So what changed then? Certainly X hasn't changed since prehistoric
>> times...
>
> ssh port forwarding, for one. It was never hard to forward X. It was
> hard to forward X securely and hard to forward X without first logging
> in over a command line interface.
You mean SSH hasn't existed since before System V as well?
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 13/09/2011 10:05 PM, Darren New wrote:
> On 9/13/2011 11:45, Orchid XP v8 wrote:
>> OK, let me put it this way: X lets you install an application on a
>> central
>> server, and have multiple X "servers" (i.e. *clients*) connect to that
>> server and have their own instance of the application appear on their
>> screen.
>
> Yep. You still need a computer for each user, tho.
Sure. But I mean, you can set up an application server that more than
one person can access, without doing anything particularly special.
>> If you want to do that with RDP, you need the multi-thousand dollar
>> "server"
>> version of Windows.
>
> Um, it's $117 online, and that's with five client licenses.
>
> Even if you don't find a deal, it's $525. Far from "multi-thousand
> dollars".
OK, well maybe it's the cost of the client licenses I'm thinking of then...
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 14/09/2011 04:22 AM, Jim Henderson wrote:
> On Tue, 13 Sep 2011 19:48:55 +0100, Orchid XP v8 wrote:
>
>> Let me rephrase: There are no SSH servers that are free software.
>
> openssh is released under the GPL, and has been around for quite some
> time now (certainly more than 5 years - I'd say more than a decade).
>
> And there are versions that run on Windows - using cygwin or not.
When I looked, I couldn't find any precompiled Windows binaries for
OpenSSH anywhere.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 13/09/2011 09:57 PM, Darren New wrote:
> On 9/13/2011 11:53, Orchid XP v8 wrote:
>> Sure. I'm saying that if you were expecting someone to get/put a file,
>
> Yes, certainly. That is, after all, how things like video games do it.
Really? I thought they just connect to a central game server.
(Although... actually they mostly seem to use UDP, so "connect" is a
little nebulous.)
>> Oh, wait, you can set the remote display to not take up the whole screen,
>> can't you?
>
> Or iconify the remote screen, copy the file, expand the remote screen,
> paste the file.
Oh, that works?
> Or just let RDP mount the disks over the link, so they
> show up as networked drives on the remote machine.
Ah - it [optionally] connects local and remote disks, the same way it
connects printers, right?
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>> So how do you prevent somebody connecting to your server a thousand
>> times per second and feeding it duff credentials, thereby preventing any
>> legitimate users logging in, and wasting lots of CPU power?
>>
>> See, security isn't so simple...
>>
>
> by having a real firewall (such as the aforementioned Cisco ASA)
> configured to throttle individual connections. ;)
I'm sorry, I thought we were still talking about "why the average home
user can't easily send a file to another average home user". :-) I doubt
many home users will pay hundreds of pounds for a Cisco ASA and spend
god-knows how long learning what "tee sea pee eye pee" is in order to
set this up.
> Now the /b/tard in question would have to use zombie PCs to do his DOS
> against your machine.
Yeah, because none of the script kiddies have figured out how to do
that. ;-)
Then again, if somebody decides to DDoS you, it doesn't matter if you
have *no* ports exposed to the Internet... You still get no service.
Sometimes I think it would be nice if there was a widely-supported
standard for configuring the firewall at the /other end/ of the last
mile to drop certain packets. But anyway...
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>> In seriousness, manpages are, by definition, *reference* documentation.
>> What the standard Unix system lacks entirely is any kind of
>> *explanation*.
>
> Depends on the manpage.
No, pretty much all of them list the command options, and that's it.
The manpage for bash practically lists the BNF grammar for shell
scripts, but fails to provide any useful introductory material for
anyone just trying to get started. (E.g., how the **** to I execute the
same command for every file in this folder?)
> PasswordAuthentication
> Specifies whether password authentication is allowed. The
> default is “yes”.
>
> Seems pretty straightforward to me.
Does that disable CHAP as well? Or only plain password authentication?
(If I'm remembering this right, CHAP is basically password
authentication, but with a slightly more secure wire protocol.)
>> That's... interesing. I'm damned /sure/ the manpage said to put the
>> files into /etc/sshd or similar. And to edit the SSH configuration file
>> to tell it what (local) user account goes with a given key. And how many
>> simultaneous logins that user can have, what their shell is, and a bunch
>> of other complicated stuff...
>
> There's a difference between configuring sshd and using the public key for
authentication.
>
> You *can* do a host key, but in most cases it's not necessary:
>
> Normally each user wishing to use SSH with public key authentication runs
> this once to create the authentication key in ~/.ssh/identity,
> ~/.ssh/id_ecdsa, ~/.ssh/id_dsa or ~/.ssh/id_rsa. Additionally, the sys-
> tem administrator may use this to generate host keys, as seen in /etc/rc.
I thought the host key is how the server identifies itself to you, not
how you identify yourself to the server?
At any rate, it's news to me that you can create a ~/.ssh folder and
sshd will actually take note of this. I don't recall the manpage
mentioning this at all.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Le 14/09/2011 10:42, Invisible a écrit :
>> PasswordAuthentication
>> Specifies whether password authentication is allowed. The
>> default is “yes”.
>>
>> Seems pretty straightforward to me.
>
> Does that disable CHAP as well? Or only plain password authentication?
> (If I'm remembering this right, CHAP is basically password
> authentication, but with a slightly more secure wire protocol.)
>
Indeed, for ssh, PasswordAuthentication is never going to CHAP.
PasswordAuthentication of ssh need that the lower layer negociated
already an encryption and a mac/checksum.
(it is forbidden to use password authentication over a clear connection)
Myself, I prefer signature authentication, with ~/.ssh/authorized_keys .
My password/passphrase locally unlock the private key, and the public
key is in the remote host(s) user directory.
>
> I thought the host key is how the server identifies itself to you, not
> how you identify yourself to the server?
Correct.
>
> At any rate, it's news to me that you can create a ~/.ssh folder and
> sshd will actually take note of this. I don't recall the manpage
> mentioning this at all.
~/.ssh/authorized_keys !!
(name can be configured with AuthorizedKeysFile )
May be you have a different man page for sshd.
Mine talk about ~/.ssh/rc, ~/.ssh/environment, and more...
including ~/.ssh/known_hosts
In fact, the FILES section of the man page for sshd is long... very long.
--
Software is like dirt - it costs time and money to change it and move it
around.<br/><br/>
Just because you can't see it, it doesn't weigh anything,
and you can't drill a hole in it and stick a rivet into it doesn't mean
it's free.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
|
|
