On 2/20/14, Ron Leach <ronle...@tesco.net> wrote: > On 19/02/2014 00:18, Zenaan Harkness wrote: >> Here is my .ssh/config line: >> LocalForward localhost:9051 127.0.0.1:9051 > > I thought the LocalForward syntax differed slightly: > LocalForward Localhost:Port RemoteHost:Port > (if I've understood man ssh_config) > so maybe > LocalForward 127.0.0.1:9051 YourRemoteTORRelayHost:9051
No, although as a template your template is essentially correct, but note that my tunnel matches your template (which matches the man page). We must put ourselves in the shoes of SSH processes: I tunnel from LOCAL host L to REMOTE host R. R runs the tor relay process T. T has an "admin" port, usually 9051 unless configured otherwise. T admin port 9051 should only EVER listen on 127.0.0.1 (localhost in nearly all cases). At L, I want to connect to ONLY a localhost ip:port, ie 127.0.0.1:9051, and have SSH tunnel those local connections across the wire to R and to connect the other end of those connections to R's 127.0.0.1:9051 port. So at L, localhost (or 127.0.0.1) is correct, and likewise at R. My config was possibly confusing to those not familiar with SSH tunnelling, since I used "localhost" at L and "127.0.0.1" at R. But they're actually the same, and interchangeable AFAIU; my apologies for the confusion. If you have any further questions or suggestions, please ask, and thanks for checking in. > May I pass on a security concern? Always appreciated. > Again, if I understand the man > pages correctly, anyone with access to your machine can use this Who has access to my machine L? > tunnel to reach your TOR relay on port 9051. Using 127.0.0.1 means > that 'only' local users can do this, but this would include everyone > with a login on your machine (and anyone who could sit in your chair > during lunch if you hadn't logged out). This is true. There are probably more secure ways such as unix sockets or authenticated socks proxy (by SSH), but I haven't bothered to learn. It's my workstation though, so no worries for me generally. Thank you for your considerations, Zenaan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAOsGNSSuj6Asz=z6bksnllofovtnmsw0chn8uh9rh456m9n...@mail.gmail.com
