Jason’s musings

“james joyce cabal”

(hundredth post)

I’m currently bedridden at home from a nasty dose of the flu and therefore have to use ssh to connect to my machine in the lab.

This machine is behind a firewall however, requiring the use of an intermediary SSH server. So typically you’d do:

CLIENT>  ssh GATEWAY
GATEWAY> ssh DESTINATION

While this can be satisfactory enough for most uses, it doesn’t make copying files any easier, and my usual course of action was to copy the file to the gateway machine and then copy it from there to my laptop.

Today I got a little tired of that and decided to fix it.

This exerpt from “SSH: The definitive guide” proposes that you either use a remote authorized_hosts file command from the gateway to connect to the destination or to create a manual tunnel like so:
# ~/.ssh/config on client C
host S
hostname localhost
port 2001


# Execute on client C
$ ssh -L2001:S:22 G
# Execute on client C in a different shell
$ ssh S
This works well enough, but annoying that it required the manual creation of the tunnel. As for the authorized_hosts command method, it would require creating a new key for the client to use to make each connection to the gateway in order for the gateway to know which machine to connect to. (Doesn’t matter if you don’t understand what I mean) - Too much effort.

Instead I started thinking about using ssh_config to create the tunnel automatically before the connection:

~/.ssh/config:

HOST DESTINATION
 hostname GATEWAY
 ControlPath=none
 LocalForward 2002 DESTINATION:22
 PermitLocalCommand yes
 LocalCommand ssh -p 2002 localhost


However, this didn’t work, and I didn’t figure out why it couldn’t get past the key exchange.

Another solution I considered was to use something called ProxyCommand, which I already use to connect to machines using HTTPS and SOCKS proxies. So I wrote a script that will make an ssh tunnel through the gateway and connect to the remote machine using the handy ‘nc’ utility.

~/.ssh/config:

HOST [DESTINATION]
 ProxyCommand ~/bin/sc 2002 %h %p [GATEWAY]


~/bin/sc:

#!/bin/sh
#$1 == local port $2 == far away host $3 == far away host port $4 == gateway host
ssh -oControlPath=~/.$2$4 -f -N -L$1:$2:$3 $4
nc localhost $1


This will always use the same tunnel to forward a connection to the ssh server on the destination machine, saving resources. There was however the issue that ssh would constantly try to create the tunnel at each invocation, and the ControlPath was a neat solution to avoid that (if there is already exists a tunnel it silently does nothing). The only problem with this technique is that I couldn’t come up with a good way to garbage collect the unused tunnels. Perhaps a file locking based technique, using a counter (similar to reference counting) would work well. But it would be a much bigger project than I wanted.

I realised that using nc on the gateway machine would also work:

~/.ssh/config

HOST [DESTINATION]
 ProxyCommand ssh [GATEWAY] nc %h %p


However this unsatisfactorily left nc processes running on the gateway machine, probably due to unimplemented shutdown message handling in some part of the network stack.

Both of these solutions were nice that they allowed the client to connect directly to the ssh server on the destination, enabling the use of ssh keys, forwarded ports, and preventing man-in-the-middle attacks. However, the nc utility is not exactly meant to be used in a production setup. A proper solution to the whole problem would involve modifying the sourcecode of ssh, to allow specifying a gateway in some fashion.

I attended this great talk at the Computer History Museum in Mountain View, CA while I was in San Francisco in March.

Today I came across the “famous” Reith Lectures (named after the first Director General of the BBC). If you were ignorant like me to their existance, they can be found at http://www.bbc.co.uk/radio4/reith/

Of considerable note is the collection of historic Reith lectures, and in particular the one by Bertrand Russell, where he talks about social cohesion and human nature: http://www.bbc.co.uk/radio4/reith/historic_audio/reith_historic.shtml

It certainly makes for good listening. Just a shame that they’re only available in RealCrap format.

Just an update about my current goings on. I haven’t had anytime really to think of what to write.

After Paris, I took a Thalys to Brussels, then a regular train to Amsterdam. Spent 2 days there, took a really good walking tour. Then I took a train to Dusselforf, waited there for a couple of hours, then a night train to Berlin (I only had a seat, so didn’t sleep well). Was only planning on spending one night in Berlin, but I need to pace myself a bit, so decided to stay two nights. Probably will go to Prague next, but will need to figure out train times and book hostel ahead of time.

Paris is a full on experience. Even it’s subway system seems more complicated than that of other cities at first. The first day I was there it felt like everything was running in fast-time; but it was probably a cause de la sleep deprivation: I had to take a night bus to Dublin for my flight, meaning I missed a night’s sleep. I took a flight to Charleroi, Belgium, then a bus to the train station, then a train to Bruxelles, then the Thalys high speed train to Paris.

There is definately a romantic feel to the city, from the public displays of affection to the many couple centric activies; however I wouldn’t call it cliche - it’s not at all like the movies really. Something that I don’t think many people know is that there are a lot of Japaneese people in Paris, mostly tourists I think, as that’s where I keep seeing them. If they’re not the biggest tourist ethnic group then they might be close to it. What I like about them is that they’re not afraid to take a tripod with them to take photos - other people use a flash for instance to photograph Arc de Triumph at night - no point, crap photo. Some people also don’t get the message that you can’t use flash in some places, or maybe they don’t know how to turn it off, or maybe they’re the worst photographers ever. I don’t understand the mentality of peope that still carry around video cameras to film tourist attriaction, that stuff  never makes complelling viewing - no script.

Yesterday I checked out Notre Dam, Latin Quarter, Eiffel Tour, Champs Elesee  other things I can’t recall. Today I spent about 4 hours in the Louvre (not enough), seen the catacombes, the Graveyard place ( which I didn’t have the map for, so the only grave I got to see was dear old Osar Wilde and Georges Pompideau building (didn’t go in).

Tomorrow it’s on the Thalys again to Amsterdam.

I’m travelling to continental Europe in two days. I have a 10 day within 22 day interrail ticket, but only have about 2 weeks until I need to come back. The rough plan is something like Brussels-Paris-Amsterdam-Berlin/Munich-Prague/Budapest-Vienna-Florence-Rome but that is likely to change (map). I haven’t yet really thought about what I want to visit, other than the catacombs and that graveyard in Paris, and the scientific historical locations in Vienna.

If the cyber-cafe internet on the continent is reasonably priced, then I’ll hopefully blog and post photos - I’m not bringing my laptop as that is just not sensible.

If you want a more interesting read, I recommend this guy.

While posting videos is not something I do very often at this blog. I came across this one particular documentary film that really struck me. It’s called Dangerous Knowledge and it’s about four thinkers — Georg Cantor, Ludwig Boltzmann, Kurt Gödel and Alan Turing who destroyed any hopes we would ever have for certainty in knowledge. The film is especially powerful to me right now as I have for weeks been obsessing with the limits of knowledge, undoubtedly to unhealthy levels. This film does not tell me anything new of course, but it presents it in a light that shows how very deep these problems were to these great mathematicians. The commentary for the documentary was also well chosen — Gregory Chaitin and Roger Penrose among those talking. At one point I was almost reduced to tears by the beauty that was hinted at.