I’m not sure what to think about GoToSSH.com either. While this is something I’ve been kinda wondering when it would find a web interface (and likely has others, I just don’t know them), I’m not sure I would use it. I certainly would not use it for anything sensitive in nature. It doesn’t look like it supports certificates, but simply username/password challenge instead. This may make it somewhat moot to block outbound SSH anymore… (Yes, it always has been moot since it could use any port, but still…) Might be a site worth bookmarking or blacklisting depending on your view.
Network security continues as holding sand…
One thought on “accessing ssh over the web”
I’ve been using Ajaxterm. Heise-security had an article about it awhile back on OTP’s using OPIE and Ajaxterm over SSL. It would be even more interesting to combine this with 2FA.
There has been code to run commands through web applications (intentionally or unintentionally) for many years. Command injection is number two on the OWASP Top Ten 2007. Web shells (i.e. web backdoors) are much more serious in nature than local shell users piping ssh through Ajax calls, which they could do in numerous amounts of ways. SpyBye can be used to find certain web backdoors, especially useful in a hosting environment.
I don’t see anything wrong with GoToSSH in concept. Seems to be safer than running ssh on port 22 with all the worms about. Maybe portknocking would be a good protection mechanism.
Comments are closed.