When Policy Makes Life Difficult

by J. Edward Durrett

Sometimes security polices can be really frustrating to users since a good protective control could possibly make
a simple task difficult. In one setup where I work, the shop floor with its commercial printers and digital
manufacturing equipment is segregated from the rest of the network. That works great most of the time as it was
designed and implemented to allow people who normally operate on the shop floor to have access and people who work
in other departments, like me, not to have direct access to the shop floor network.

The other day I was on the shop floor and needed to print some documents but, because of my policy, I could not
use the printer 2 feet away. Of course, I could have set a bad example, plugged in my laptop, overridden the
security controls and printed the thing. Luckily, I knew better than that and had an ssh trick up my sleeve to get
the job done.

Basic printing through ssh is done like this:

cat file.pdf |ssh name_of_host /usr/bin/lpr -P name of printer

That of course works if the host you are connecting to is on the same network. In my case, I had to get out of my
network, get into another intermediate network and then into the shop floor network. That requires using the proxy
jump command, which would be something like this:

cat file.pdf|ssh -J host1,host2,host3 name_of_destination_host

Now, that is a lot of typing to print a document, especially when you need to specify an identity file for the
authorization key to each host. So, some additions to the .ssh/config file makes this a bit saner:

Host host1_nickname 
HostName host1_name
IdentityFile /home/jed/.ssh/id_1
Port 22
Host host2_nickname
HostName host2_name
IdentityFile /home/jed/.ssh/id_2
Port 22
ProxyCommand ssh host1 -W %h:%p
Host host3_nickname
HostName host3_name
IdentityFile /home/jed/.ssh/id_3
Port 22
ProxyCommand ssh host2 -W %h:%p
Host nickname_destination_hosts
HostName destination_host_nickname
Port 22
IdentityFile /home/jed/.ssh/id_dh
ProxyCommand ssh host3 -W %h:%p

In this example, when you ask to connect to the destination host, you first connect to host3, than host2, then
host1 and when all those connections are established you can tunnel through to connect to your destination host.
As long as all the keys are set up and ssh-agent is running properly, printing is as simple as:

cat file.pdf |ssh name_of_host /usr/bin/lpr -P name of printer

Or, even better, scripted to a script called 'p':

cat $file |ssh name_of_host /usr/bin/lpr -P name of printer

And, then, to print a file by jumping across multiple networks, simply:

./p file.pdf

In the end, the policy itself does not make things difficult, it simply made things different from what is still,
unfortunately, common practice - namely an anything goes policy inside the corporate perimeter. Security
policies which seem difficult to live with often have solutions where security is still maintained and doing something
like printing is still easy.

Copyright (c) 2019, Jason Edward Durrett - All content on this site, unless otherwise noted, is subject to this license.

Please contact me if any errors, such as erroneous / misleading content or missing / incomplete attribution, are found.