backwards zebedee or ssh

[Charles Hines]

>>>>> "Me" == Charles Hines <hines "at" gderome.com> writes:

>>>>> "Glenn" == Glenn Newell <gnewell "at" synopsys.COM> writes:
Glenn> Chuck, if you turn it around so the server connects to the client I'm
Glenn> worried I wouldn't have the -r capability (to restrict redirect ports)
Glenn> on the client piece (since it now works only on the server. Again,
Glenn> can't we just turn the direction of port redirect around, without
Glenn> changing the direction of connection from the client to server?

Me> Ah yes, I see what you mean...

Or so I thought.

Me> I'm going to have to think about the "right way" to do this some more.
Me> I've got a couple of ideas but really need to mull them over...

Ok, I mulled this over on my drive home last night, and came to the conclusion
that I think my original idea is still correct, and I'll explain why.  Please
correct me if things seem wrong to you still.

Normal Zebedee usage:

  - Remote host runs in server mode.
  - Local host runs in client mode, connecting local port to remote port for
    some service running on the remote host, if the server is allowing that
    port to be accessed.

So your setup (similar to mine) has you (the helpdesk) outside of the
firewall, which the person who needs the help is running behind.  They are the
ones who need to run Zebedee in server mode, not only because of the way
Zebedee is set to work (where the server mode provides the connection to the
service, in this case VNC) but also because since they are behind the
firewall, it makes more sense from a security standpoint for them to want to
restrict what ports you want to allow access to (the -r parm), not you.
Correct?

So, by providing a means to reverse the connection sequence, they get to run
the server part, with the necessary restrictions on port access, inside the
firewall where they have control over it so you can't arbitrarily connect to
other random ports other than the VNC one.

Other minor changes may needed to go with this, like the client code would
essentially ignore the server hostname in the port redirection command since
it no longer needs to know that to initiate the connection.

Looking over the Zebedee code, my initial statement of "it shouldn't be too
hard" may need some revision, but I think the idea is still the right one.

What do you think?

Chuck

-- 
Charles K. Hines   <ckh "at" requesttech.com>   <hines "at" gderome.com>
Principal Scientist at ReQuest Technologies Inc   (http://www.ReQuestTech.com/)
Martial Arts Instructor [Modern Arnis and Balintawak Escrima]

         "Go back to sleep, Chuck.  You're just havin' a nightmare
             -- of course, we ARE still in Hell." (Gary Larson)
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to majordomo "at" uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------