Am 04.01.19 um 12:20 schrieb Thomas Güttler: > Hi Jan and other ssh-experts, > > yes, I that's not what I had in mind. But why not? I think it is a valid > solution. > > I am a bit afraid: If setting it up fails, we loose control over our > remote machines, > since ssh is the only permanent connection we have. > > Thank you, > Thomas I see your point. Remote work on a production system always makes my heart beat faster, too. ^^ Some safeguards would come to my mind, but I cannot really make a suggestion, since any such procedure should be something that you yourself feel comfortable with. So, let me just give you some ideas. However, Only attempt one of these, if you are sure what you are doing! * A temporary second SSH-Service could be launched on another port. This port could be forwarded to a second SSH server by using Remote-Forwarding. * If you can access your server via Browser, you could temporarily set up a webshell like this: https://github.com/shellinabox/shellinabox Using the LOGIN-parameter, you would be completely independent of SSH. (While you could still remote-forward your web port to another SSH server, if it were firewalled.) You should notice, that SSLH could also multiplex HTTPs and OpenVPN. So, if you have an open port 443 for HTTPs, you could use this one and not touch your SSH at all. * You could make a backup of your machines' configs. Then, you build a dead man's switch. To do this, you might start a screen as root user and do something like: sleep 5m ; some_command_to_restore_system_from_backup ; reboot Then, you start that sequence and detach the screen. Now, you can try to set up the system as you need it and apply your changes. If you loose your connection, you just wait, until the sleep-command inside the screen ends and the restore-command kicks in. Personally, I think that the first solution would be the easiest one, the second solution would be the safest one and the third solution would be the fastest one. Should you find none of them suitable, you might wanna go back to your original VPN-over-SSH-approach. (You'd have to wait for someone else's advise in this case. I don't have any experience with this part of SSH.) Good luck and best regards, Jan
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev