Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
Jilano14210269dI don't want to meet the person with a brain capable of imagining such thing. The process in itself is just insane...
I understand why you wanted to get out of there. Hope you'll happier now!
(On a side note, I laughed when reading "tties/tities".)
zvyn639269dHow does one get to the point of writing a custom SSH alternative? (There is a point in using mosh but not via SSH jump hosts.)
netikras4947268d@zvyn there are plenty commercial alternatives already. Mostly they are used because they are able to provide much better auditing when compared to ssh. For instance fkup (title is made up not to reveal actual tchnologies used there) can record EVERYTHING there is on a terminal and later on security auditos can replay every single session there was made to that server. Another alternative can do that + implements custom authorization policy integrated with internal infrasctucture tools + it does log non-printable keystrokes (like ENTER, TAB, wtv would not appear on the terminal) + it can categorize those logs + authorized personnel can review those logs in plain-text + you name it.
Huge enterprise companies do this thing and it would be unimaginably difficult to work there if they didn't. HOWEVER since these tools are ALTERNATIVES they are far not as stable and efficient as ssh. Not to mention lack of some essential ssh features.
netikras4947268d@zvyn ssh alternatives do come in handy when limited personnel has to overlook unlimited infrastructure. I cannot immagine any team of sysadmins provisioning each ssh access request or attempting to figure out where the f*** did those SAN luns disappear when we are talking about infra with tens of thousands of servers.
A darn zoo where you can find anything from RHEL 7.3 to RHv4 or SCO-unix or hp-ux <9 or tru64 or zlinux or hell knows what else.
So one must have a way to reliably check what, when, how, by whom and whay was done on the server.
zvyn639268d@netikras right, that (especially the auditing part) seems reasonable! Where I worked the sysadmins used Puppet, Ansible, etc. for managing "unlimited infrastructure" (I'm sure something like that is part of your set up as well). Also the "zoo" could be categorised into a a few OS versions per client. In that scenario updates would never involve logging on to the server and a request like "upload this PDF on that server" where answered with "build a Debian package, upload it to the repo and I'll add it to the appropriate puppet file".
Your Job Suck?
Take a quick quiz from Triplebyte to skip the job search hassles and jump to final interviews at hot tech firms
Get a Better Job