On Tue, Mar 25, 2008 at 11:28:45AM -0700, Tim Alberts wrote:
That sounds great for getting around a remote dynamic IP address, but some more authentication/security on that web page is necessary, otherwise, anyone who finds that web page is given access?
Strictly speaking, yes; however in practice, the number of bots (or, indeed, external users who are not me) who the magic web page to hit (my actual page is not named as the example on the web page is!) before attacking the ssh connection is zero; therefore since the goal was to prevent stupid robots from brute-forcing my ssh and filling my logs, it isn't necessary.
I mean, strictly speaking you'd next have to insist on a proper SSL connection to the web server, otherwise you are at risk of someone sniffing the username and password used in the .htaccess process. And then after that, you'd have to insist on some kind of security on the remote system to ensure that your passwords are not being captured. Etc, etc.