
How can I explain the importance of shell access to my non-technical manager? - pcgeller
Hey HN, long time reader first time poster.<p>The situation: I&#x27;m a new data scientist at a large food company after leaving a large software development company (complete career domain change).  My current company is in the beginning stages of a contract with an analytical software company and the applications are in the contractor&#x27;s cloud.  I&#x27;d like to write scripts against these applications to automate of work like changing projects, taking data extracts, etc.  The software company also has their own proprietary language that I&#x27;d like to use Python to make calls too.  I can&#x27;t replicate their language server locally.<p>The problem: The only entry point into their cloud is RDP which only provides a desktop.  I&#x27;ve asked for direct access to our instances in their cloud through ssh and have been denied by the contractor citing a security concern (&quot;The internet could try to compromise it&quot;).  This makes a lot of the work I was planning to perform much more tedious and so I&#x27;m trying to explain to my manager why shell access is so important.<p>Appreciate any input.  Any good analogies?  I&#x27;ve tried explaining it in different ways to my manager - who kind of gets it - but the full importance hasn&#x27;t really been clicking. Hoping the wisdom of the internet might able to help out.
======
WheelsAtLarge
All Managers are very sensitive to cost. Show him/her how much extra work it
takes and what you won't be able to accomplish by not having the proper
access. Non-tech managers are also very reliant on the experts they hire. They
hate to disagree with them since they don't understand the impact of the
technical decision they have to make. That's why they hire them in the first
place. So you'll also have to work with the security team on how to minimize
the impact to the network.

Security guys are quick to say no. I once had a network security guy tell me
that he could not open a web based app to the internet because people in the
internet would be able to use it. I don't think he saw the stupidity of his
argument. He just saw that there would be another security hole on the
network. After working with him for a bit we figured out how to open it to a
point where he was comfortable.

~~~
ddingus
Seconded.

Make a dollars argument. They can balance that against the risk = dollars
argument the security people will make.

If you can demonstrate a significant opportunity cost, perhaps that can also
make for a security upgrade of some kind too.

------
mattbillenstein
ssh is much more secure than rdp imho - I guess unless it's all behind a vpn,
in which case you could just ssh over the vpn as well and the ssh port is
never exposed on the actual internet, so the attack surface would be the same.

That being said, there's always a way -- you could use rdp to constantly run a
reverse ssh tunnel somewhere, then just connect to the other end of the
tunnel...

~~~
hobs
Yeah - the internet can hack RDP as well as SSH - they both expose a port and
Microsoft recent had a global RDP bug (though not for recent versions) that
enabled that very problem.

A VPN is a good suggestion, and I would probably position it as an industry
best practice whether you are using RDP or other network protocols to access
their resources.

~~~
mattbillenstein
Yeah, in that case, just compare the relative security events between rdp and
ssh and you'll probably convince them they should not be running rdp on the
open internet...

~~~
pcgeller
Good point, thank for the input. I found some other discussion on RDP and SSH
security here:
[https://ubuntuforums.org/showthread.php?t=1545145](https://ubuntuforums.org/showthread.php?t=1545145)

[https://security.stackexchange.com/questions/133342/how-
secu...](https://security.stackexchange.com/questions/133342/how-secure-is-
rdp)

[https://forums.anandtech.com/threads/ssh-vs-vpn-vs-vnc-vs-
so...](https://forums.anandtech.com/threads/ssh-vs-vpn-vs-vnc-vs-software-vs-
rdp-which-to-choose-and-why.2358432/)

------
icedchai
Can you do a reverse tunnel? Connect through RDP, run a script that SSHes out
to one of your own servers and exposes another port that you can then SSH in
on.

~~~
pcgeller
Someone else also suggested this - I need to look into it more.

~~~
bigiain
Note that in at least some places, that could be a fireable offence (possibly
even a criminal offence, if the company takes it badly enough).

