Re: [tlug] telnet'ing to home with Java servlet

[Jim <jep200404@example.com>]

On Tue, 01 Nov 2005 11:45:43 +0900 Shawn <shawn@example.com> wrote:

>      4. enter in your commands (ls, grep, cp whatever) and upload file
>         with password [to this securely, you'd want a list of disposable
>         passwords that the servlet checks each time before running the
>         commands.  

One time passwords are vulnerable to man-in-the-middle attacks. 

>         Take a copy of the list to work and then send it in].
>         Actually, you could just submit the file clear text since it is
>         disposable but I thought pgping it would hide your password
>         length.  If you did, pgp it, you'd have the ANT file decode the
>         pgp file.

What you have is close to tunneling telnet over http.  
The security of your approach is robustly broken in manifold ways.  

> I'd try tunneling myself I think -- just to learn something new.

There are Java based tunnels for carrying ssh over http. 

On the PC at work, one browses to a page on the home computer. 
That web page downloads Java code for the work browser to 
execute. That Java code implements a ssh client and then 
tunnels it over http to the home server. The home server 
would have more Java stuff for the other side of the http 
to ssh conversion. 

Such browser Java clients communicate securely. Their weak link 
is when the browser downloads the Java client code, 
a man in the middle could substitute a compromised Java code, 
so you'd want to use https and the big certificate thing to 
download the Java client. 

Dave has not exhausted the simplest approaches, so it is best to 
wait for him to complete the list of simple things to try in the 
Occam's Razor letter.