top | item 41597746

(no title)

_dan | 1 year ago

SSH tunnelling is an utter necessity in the ridiculous corporate environment I work in. Incredible amounts of bureaucracy and sometimes weeks of waiting to get access to stuff, get ports opened, get some exception in their firewalls and vpn so someone can access a thing they need to do their job.

This guide mentions -D but doesn't really articulate quite how powerful it is if you don't know what it does.

ssh -D 8888 someserver, set your browser's SOCKS proxy to localhost:8888 (firefox still lets you set this without altering system defaults). Now all your browser's traffic is routed via someserver.

I find that to be incredibly useful.

discuss

globular-toast|1 year ago

That was pretty much my standard way to browse the web away from home in the mid 2000s. But when I actually got a corporate job they had whitelisted IP addresses so I couldn't even get an SSH connection to some random box on the net. I was so miserable I started to look into setting up http tunnel and somehow getting a box I controlled whitelisted. But instead of going that far I just changed jobs.

hackit2|1 year ago

It isn't a good idea to circumvent corporate environment networks. they're there for a reason, and doing it shows a lack of professionalism and dis-respect for the organization process, procedures, and security. Yes it takes weeks/months to get access, then it takes weeks/months to get access. You don't want to be held liable for opening a backdoor to confidential information, or compromising their security.

ziml77|1 year ago

Exactly. It's not a good idea to bypass policies at work. Just because you don't know why the policy is there or you disagree with the reason, it doesn't mean you can ignore the policy.

If you can't get your job done, then escalate the issue to your manager. You not being able to get your work done because of other teams is the kind of problem they're supposed to be solving.

barbs|1 year ago

Sometimes they are. Sometimes that reason is long forgotten, or isn't really valid anymore, or is an overprotective measure and not really a good reason in the first place. Quite often it doesn't justify waiting weeks or months to get it changed.

crispyambulance|1 year ago

    [...] they're there for a reason [...] Yes it takes weeks/months to get access, then it takes weeks/months to get access.

Not exactly. Everyone has to evaluate for themselves how legit the rules are and act accordingly. More often than not, boilerplate rules are thoughtlessly applied and there is no pragmatic process to handle the exceptions to those rules.

Admittedly, it's a risk to break such rules. One has to be an adult and use good judgement. It's OK, most of the time.

saagarjha|1 year ago

Many corporate networks show a lack of professionalism and a disrespect for the people the network was designed for.

prmoustache|1 year ago

In many corporate cases, SSH tunneling is the desired way of accessing a closed by default port on a firewall. Very often from a predefined bastion host.

If you don't want to open a range of IPs, it allows only people with their ssh key registered on either a selected bastion host or the server to open a specific port.

It can also be a way to authenticate users. For example if you want to secure the access to an open source version of an app for which only the proprietary enterprise tier allow authentication by ldap/AD/oauth2. You can have ssh authenticate against LDAP/AD/oauth2 and leave the app running without authentication enabled or with a single user. As long as you don't need RBAC/privilege separation or some kind of auditing of what each user does on the app this is a particularly valid solution.

atoav|1 year ago

I will do everything by the book if your company gives me a person that can help me within half an hour. If every request needs days to complete and then doesn't work and then I have to make another request – if I wouldn't know better I would call it sabotage.

From the CIA simple sabotage field manual: Insist on doing everything through “channels.” Never permit short-cuts to be taken in order to expedite decisions.

hmottestad|1 year ago

New version of https://xkcd.com/303/ ?

"Waiting for corporate to punch a hole through three firewalls for me to get access to the test server :P"

I was on a project once where a consultant had dropped their laptop and it had taken a week or two to get fixed. After that everyone had to use a laptop provided by the client. When we scaled up the project with 3 more developers the project manager who had set up this policy discovered that the lead time for 3 dev laptops meant that the new developers got to be bored for a month at a fairly high hourly rate.

FroshKiller|1 year ago

Can you cite any examples of damage resulting from personal browsing over an SSH tunnel that the worker was held liable for?

unknown|1 year ago

[deleted]