mancalablog

posts to days old
of topics
with text
post

ssh

m (28 Oct 2004 0:10): Can you keep an ssh tunnel alive for a while, and periodically send files over it? Like, I want to scp, but a bunch of different files, and without entering a login/password and incurring the tunnel creation overhead each time.
Grant (28 Oct 2004 15:20): scp -r does not seem to be what you want.
You could possibly (probably) use ncat... network cat... meow.
Paul (28 Oct 2004 17:58): wait, why not scp -r? as far as I can tell scp -r only initiates one secure connection...unless there's some reason the files can't all be in the same directory tree and get sent all at once...

I do believe that there is a way to set up a secure connection in general and then pass things over it one-at-a-time, but I don't know how. I could ask the Linux-networking specialist at work if you want...
m (28 Oct 2004 19:07): recursing isn't what I want. Really, I think I want the power of a shell through an ssh tunnel. like ssh provides. but with the ability to move files as well. Maybe what I want is to be able to mount part of a remote filesystem through an ssh tunnel. This is probably hard to do when I don't have root access to the remote filesystem. Hell, it's probably hard to do even if I do have root.
G (29 Oct 2004 3:37): You can do stuff like that with zshell, too, I believe.
But, ncat? Might be exactly what you want?
This is really a question for Sam. I know he talked to me about using ncat for this exact type of thing... Basically just piping files (with zlib compression, even) to another machine.
m (29 Oct 2004 14:14): interesting
Paul (16 Nov 2004 18:44): You can now ssh ip.a.la !
Ask me for an account if you don't have one already.
Paul (18 Nov 2004 18:42): Caveat: when my machine is off, ip.a.la may point to somebody else's machine, so the first time you connect, check the host key! It should be:
AAAAB3NzaC1yc2EAAAABIwAAAIEAxB2v5XyuvvdHEw9+FF6Y9nM6Svq8HJV9tS5DYbzP7un99fqHgvRxeWSIvs/xYh3RRVW6wS+kTAH9ivGi5MgHVzPGszrrq/kctEGP75PATIrQgCvVCAdQywIAh0Inyu3VTAxmhLKNr/p+/uyXLgip0OGk0KmIQIdi0Wg2HfOCiv8=
and its fingerprint is:
9f:1b:22:46:28:95:22:bf:a2:0c:c3:dc:72:8d:fe:8f
m (18 Nov 2004 20:04): and if that someone else also happens to lie on part of the path between me and digitalaudiorock, then they can replace whatever the actual fingerprint is with what I see:
9f:1b:22:46:28:95:22:bf:a2:0c:c3:dc:72:8d:fe:8f
in any of my http requests to manc.a.la

and of course swap it back in any return data (so that the fingerprint of this post appears to match the correct fingerprint)

I guess that's harder if the fingerprint isn't literally given, but is described, as with "nine eff colon one bee etc."
Paul (24 Nov 2004 20:01): That is true, but it would be hard for someone to intercept both the paths from you to digitalaudiorock.com and from you to me. To maximize security, you could connect from various places as well, if you have shell acct(s) elsewhere, and I could post my key in various places besides just here...
Paul (17 Mar 2005 18:56): Yes, you have an account. In fact, everybody who has ever posted here has an existing account on ip.a.la (except the $6 spammer). Note that ip.a.la was formerly called abelha.dhs.org and mu.64.nu, and all old accounts still exist. If you forgot your password, email me (pgd at post.-------.edu) to have it reset.

As for disk space, I'm out. But I just got a new hard drive sent to me. But I've been having bad luck with my computer, and don't feel like installing it. But my mind could be changed by popular demand. But for now please don't fill the existing disk completely (use 'df' to check).
Grant (17 Mar 2005 21:14): Awesome. I'll check it out sometime soon.
I miss 'talk,' although there's something to be said for mancala's persistant nature.
I can't check it out here, because the firewall is so strict it's paranoiac. It blocks everything that's not on port 80, it would seem. Also, it blocks many web pages. It's not really a big deal, but I at least wish I could check my email. I sometimes even have work-related emails to send, and have to use my cell-phone, which is 'whack.'
Paul (18 Mar 2005 9:06): On web terminals with Java, you can get Java SSH by Googling for mindterm duke ssh. Of course who knows about security...
JavaScript SSH is theoretically possible with techniques dubbed Ajax, but I don't know of any implementations yet.
m (18 Mar 2005 14:44): alternatively, could you set sshd to listen on port 80 as well?
Paul (18 Mar 2005 21:06): sshd could listen on port 80, so people could use putty from behind a port-80-only firewall...
But the harder question is how to ssh from a public terminal without an ssh client, eg, library computers. Java and future JavaScript implementations can't run ssh directly (that I know of), but can give you a sort-of-telnet-window back to their home server, which can run ssh. Of course the browser-to-server connection had better be secure. It would be easier if the public terminal would just have putty.
Paul (18 Mar 2005 21:15): I misunderstood your predicament, Grant, because you can install software on your machine, right? I'll see about listening on port 80. Although I don't know if your firewall would allow a persistent ssh connection if it's set to only allow individual web requests...
Paul (19 Mar 2005 18:07): $ last | head | grep -v paul | wc; echo ":("
  0   0   0
:(
Grant (21 Mar 2005 8:33): I still mean to try it out. In the mean time, here's a new excuse!
I went to Osaka this weekend (three day weekend), and I saw sumo wrestling! It was a lot of good fun. I went to karaoke, and drank 'cocktails' with absolutely no alcohol in them. I rode a ferris wheel on the top of a shopping mall. I saw Asa Shoryu completely destroy another sumo wrestler. I irreparably damaged my relationships with everyone on the trip, and two people who didn't come. Not really. I'll just have to keep trying, I guess.
Paul (1 Apr 2005 6:44): Qwest DSL sucks badly as of yesterday. Therefore, ip.a.la is unreachable until I can mess with it again this afternoon. Of course, when it comes up again, you'll have "no choice" but to visit.
m (1 Apr 2005 16:25): still nothing from ipala
(1 Apr 2005 19:43): Yeah, and I actually did forget my password.
Login is what I think it is, probably.
Paul (1 Apr 2005 21:02): DSL continues to be problematic. The modem gave me a new local IP address, while the port forwarding continues to go to the old local address (which no machine has). I could easily fix it by restarting the modem if I hadn't already spent a couple hours yesterday dealing with the modem being stupid, as in, forgetting everything whenever it restarts. Conclusion: if you all actually want to log in, say so and I'll spend longer trying to fix it.
m (1 Apr 2005 23:31): some routers let you associate local ip addresses with particular mac addresses - give that a shot
Paul (4 Apr 2005 16:07): ...is finally working again.   THIS MEANS YOU
G (5 Apr 2005 0:18): Can you set a new password on my account, and subsequently tell me what you've set it to?
Paul (5 Apr 2005 6:58): Yes, but you'll have to tell me your email address, wait, is it [firstname]@scn?

'fraid something's wrong with ip.a.la again. Qwest DSL modems suck. I think I could fix this prob if I set my own IP instead of using DHCP ('pump') on Debian; trouble is, I don't know how (maybe with 'etherconf'?).
sam (5 Apr 2005 9:45): i use debian, kinda old software though. i think i use the stuff in the dhcp-client package for dhcp. back when i fixed the ip, i had something like this in my /etc/network/interfaces:

iface eth0 inet static
address 172.23.25.12
netmask 255.255.255.0
gateway 172.23.24.1
Paul (5 Apr 2005 19:06): Okay, ip.a.la is up again (now 63.228.162.112), unless typing this jinxed it. Thanks for your tip, Sam; dpkg-reconfigure etherconf helped me abandon DHCP.
Qwest is sending me a new modem...which may or may not help.
Paul (6 Apr 2005 15:27): ...has been working fine for the last 20 hours...
m (7 Apr 2005 16:35): trouble connecting...
Paul (8 Apr 2005 15:30): Troubles of last 24 hours are resolved...hopefully they'll remain resolved...
Grant (7 Nov 2005 17:45): What I really want is a way to use SSH from behind a firewall.
I know it kind of defeats the purpose, but are there any web-frontends for that kind of thing? It's probably really stupid, though - only protecting half of your traffic isn't really protecting your traffic.
So, let me just say that I hate this stupid firewall/router/etc.
m (7 Nov 2005 19:58): there are java ssh clients -- will that fit the bill? I always search for 'yale java ssh' and take the first hit. I think the client is Mindterm something or other.
Grant (7 Dec 2005 18:26): So, also, if you've got a grza.net account, you get free webmail as part-and-parcel of the bargain. http://webmail.grza.net/

I just thought I'd resurrect the no-title thread for fun, since it popped up in one of my searches.
(7 Dec 2005 18:27): Only I posted in the wrong thread. D'oh.
m (7 Dec 2005 20:57): you'd think it'd be easy to get it in the right thread given how often you leave the Name field blank
                                    (7 Dec 2005 21:54): Oh, SNAP!

Hey, well, maybe I was doing that intentionally, huh? Just to piss you off.
Paul (8 Nov 2006 16:26): Well, I've searched all over, and I can't find the answer, so maybe someone here can figure this out?: Why won't "ssh -X" work between two machines I control? Or even within one machine as "ssh -X localhost"? Once I ssh in, I have no $DISPLAY. This "used" to work, many years ago... Yes, /etc/ssh/sshd_config contains "X11Forwarding yes" (the only hint I've found seaching).
Paul (13 Nov 2006 7:30): (It looks like maybe this now works with "ssh -Y" instead of "ssh -X"...)
m (5 Jan 2008 12:15): So you can set up ssh to connect passwordlessly by throwing your public key into the remote .ssh/authorized_keys file, and until recently this is how I got my school email (fetchmail was happy to talk to imapd through an ssh tunnel).
Yesterday the mail server got moved off of the main department machine as part of some server upgrades, and now I'm supposed to use IMAP+SSL to get my email. But this means entering my password every time I want to check it!
(or, alternatively, putting my plaintext password into a mail client config file)
You guys know of a way to get around this?
m (6 Jan 2008 10:30): maybe I should forward all of my messages to grza? And then (possibly?) coax procmail into rewriting the headers to be good as new...
m (6 Jan 2008 10:32): wait, dex, is that what you do?
Paul (6 Jan 2008 19:45): I forward my messages to grza. But I don't have any header-munging. Actually, where I need header-munging is for messages I get with fetchmail, because I only run fetchmail every couple days, and then mutt bizarrely shows the dates not when the messages were sent, but when I ran fetchmail.
Paul (6 Jan 2008 19:46): Clarification: I have some addresses that forward to grza. I have other addresses that I use fetchmail (on my local machine). When I use fetchmail, it is neither from nor to grza.
m (6 Jan 2008 22:04):
:0 fhw
| sed -e "s/^Delivery-date/Fetchmail-arrival/"


You know, that's always bugged me, too. I just threw this together, and silly mutt now grabs the Date header line the way it's supposed to. Procmail is win!
Paul (1 Jun 2008 17:47): I was annoyed because 'ssh -Y' for X-forwarding is terribly slow. But then I discovered 'ssh -CY'. Enabling compression helps a lot! Of course lossy compression on the graphics would be even better, but that's not available afaik.
G (1 Jun 2008 19:03): Maybe you could use a smaller resolution or bit-depth, though?
16-color mode would probably be pretty speedy.
G (1 Jun 2008 19:06): Or, you know, stop looking at pictures. Use a flat color for your desktop. Use non-smoothed fonts. Get a window manager theme that's monochrome, or black-and-white if possible. Start wearing a beret and going to poetry readings.
m (2 Jun 2008 17:06): yeah. Why are you X-fwding to begin with? Stop hating on your tty.
Grant (4 Jun 2008 10:00): I know, seriously. I thought you used links!
Where's the real P, and what did you do to him!
G (4 Jun 2008 10:05): But, have you heard of TightVNC?
R (4 Jun 2008 13:02): I'd be curious how using a SSH tunneled VNC connection would compare to X forwarding... I'd imagine worse latency on VNC, and slightly marred UI elements. I suppose it would depends how pixmap-heavy P's usage is (I assume you are already using a seriously lightweight WM). I can't imagine either would work well for animation/youtube/FONTS/etc.
Also, NoMachine's NX stuff might be of interest. They have free-beer RPMs and DEBs, even! Please keep us up to date on this, P. I'm all excited now.
I should have been <del>am</del> too lazy to hyprlnk these:
An old but informative review
Obligatory Wikipedia link
The gratis DL link from NoMachine

OT: <strike> and <del> do not work. Why?
Paul (6 Jun 2008 3:40): I had used VNC before, which is better than ssh -CY because VNC knows what it's compressing and uses lossy compression on graphics. But it's a pain to set up, because you have to open the SSH tunnel first, then connect VNC, then set your $DISPLAY correctly. ssh -CY is just one command. I use it for xpdf, or to print on a remote firefox.
G (6 Jun 2008 13:45): It's a pain to set up? I thought that'd be a selling point for you. :P
Can't you just make a little shell script to do all of that, though? I mean, if it's always the same commands. Or is it not an option because you're doing it from random locations?