Return to the archive index
From: not@thisaddress.foo Date: Wed, 24 Nov 2004 15:08:51 GMT Newsgroups: grc.linkfarm The problem with the scenario described in this 'guide' is that since the user is basically using SSH as a proxy and since the user is also using actual target destinations from a local browser, it would be a minor administrative task to find all of the URL locations that employeed visited on that local machine, hence employee privacy is lost. Also, having the employee's browser set up to use a proxy would be a red flag for administrators as well. My way to solve this is to take it one step further. Instead of using the local browser as a proxy configuration, set up two outbound SSH tunnels (typically ports 5800 and 5900) in the SSH client (putty or whatever you use) and VNC servers on each machine in the "at home" network. That way you are never logging anything on the work machine and when you find a site you surfed remotely you can save it in favorites at home, not at work. The VNC servers could be on as many home workstations as you wanted and you don't have to have the same machines for the SSH server as the VNC servers (even though you could). And since the SSH server and VNC servers can be different machines, you can have multiple VNC servers running on different machines at home and connect to any of them from one SSH connection. All encrypted through the SSH tunnels and the local work machine only ever shows that you visited http://localhost:5800, not every site you wanted to vist. For my Linux friends, tunneling would look like this: In a root terminal: # ssh -l joe -L 5800:10.1.1.2:5800 -L 5900:10.1.1.2:5900 homedomain.com Where: ssh = ssh client program executable -l joe = username of valid user at the SSH server (the -l is a lowercase 'L') -L 5800:10.1.1.2:5800 = first outbound tunnel (the first 5800 is the local (localhost) port you will use, the 10.1.1.2 is the IP of the target 'home' machine inside your trusted network and the second 5800 is the port on the home machine you would be using for VNC. The ports can be different between local and target but the target MUST match the VNC listening port at the target machine) -L 5900:10.1.1.2:5900 = second tunnel needed for using VNC as a web client. homedomain.com = the way to connect to your network at home ad seen from the internet. This can be a registered DNS name or an IP address. If this isn't clear or you want details for your specific system, please post a question in either grc.techtalk or grc.techtalk.linux (or whatever other group you feel is apporpriate).