From: Matthew Ghio <ghio@myriad.alias.net>
To: cypherpunks@toad.com
Message Hash: c85457a7493aef31d604547f35b01456cd5d1368e5b80375cd7bafcb2d20516c
Message ID: <199610061634.MAA28522@myriad>
Reply To: <199610021431.JAA02934@linkdead.paranoia.com>
UTC Datetime: 1996-10-06 18:14:38 UTC
Raw Date: Mon, 7 Oct 1996 02:14:38 +0800
From: Matthew Ghio <ghio@myriad.alias.net>
Date: Mon, 7 Oct 1996 02:14:38 +0800
To: cypherpunks@toad.com
Subject: Re: encrypting pppd?
In-Reply-To: <199610021431.JAA02934@linkdead.paranoia.com>
Message-ID: <199610061634.MAA28522@myriad>
MIME-Version: 1.0
Content-Type: text/plain
Ian Goldberg <iang@cs.berkeley.edu> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> In article <961002.235706.1R8.rnr.w165w@sendai.scytale.com>,
> Roy M. Silvernail <roy@scytale.com> wrote:
> >In list.cypherpunks, vax@linkdead.paranoia.com writes:
> >
> >> Anyone worked on, or know of a freely available, one of these beasts?
> >
> >What threat model does this address? It'd be link encryption, where the
> >best security is found in end-to-end encryption.
>
> pppd doesn't necessarily run over a modem; you can "tunnel" it over
> another IP connection.
>
> I have in fact done this very thing. Use ssh to (encrypted) log in to
> the ppp server, and start pppd at each end. It's been a while; I think
> I had to tweak something to make it work over a pty instead of a serial
> port.
Here's a little script for tunnelling SLIP over a ssh session on Linux:
(sleep 2;\
/usr/local/bin/ssh -l username -e none remotehost</dev/ttyqe>&/dev/ttyqe)&
(echo "port ptyqe";\
echo "wait ord: 15";\
echo "send secretpw\\n";\
echo "wait (shellprompt)> 60";\
echo "send slip\\n";\
echo get \$rmtip 192.168.0.1;\
echo get \$locip 192.168.0.2;\
echo "mode CSLIP";sleep 15)|/sbin/dip -tv
PPP is a little more complicated; I found it's easier if you put the ssh on
the pty instead of the tty side. You can't do this from a shell script,
because the pty can only be opened once. This will take care of that:
main(ac,av)int ac;char **av;{
int fd;
fd=open("/dev/tty",O_RDWR);
ioctl(fd,TIOCNOTTY);
close(fd);
fd=open("/dev/ptyqf",O_RDWR);
if(fd<=0) exit(1);
dup2(fd,0);
dup2(fd,1);
dup2(fd,2);
execl("/usr/local/bin/ssh","ssh","-l","username","-e","none","-c","idea",
"-t","remotehost","mesg n;/usr/sbin/ppp -direct mylink",(char *)0);
exit(1);
}
Do remember that you can't route the ip addresses that you're tunneling
inside the tunnel! So be sure to assign some alternate ip addresses to
each end of the link. 192.168.x.x will work; those addresses aren't
assigned to anyone.
I used /dev/ttyqf for the tty, that is usually unused. If you have more
than 30 users online then you'll need to increase it.
Return to October 1996
Return to “VaX#n8 <vax@linkdead.paranoia.com>”