If I ssh from outside my network into my firewall then telnet from my firewall to a network computer, have I lost the ssh security? Thanks, Tom -- Tom Nielsen Neuro Logic Systems 805.389.5435 x18 www.neuro-logic.com
I don't think so as your telnet output is stil
tunneled through ssh to you.
Martin
--- Tom Nielsen
If I ssh from outside my network into my firewall then telnet from my firewall to a network computer, have I lost the ssh security?
Thanks, Tom --
Tom Nielsen Neuro Logic Systems 805.389.5435 x18 www.neuro-logic.com
__________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com
Tom Nielsen wrote:
If I ssh from outside my network into my firewall then telnet from my firewall to a network computer, have I lost the ssh security?
No. The outside<->firewall connection is encrypted. The firewall<->internal connection is not. The telnet program doesn't 'know' your logged in through an ssh connection and so ssh passphrases, etc. are hidden from the internal network. Someone else with access to the internal network could find out what you're doing on the internal machine but someone outside your firewall cannot do so without cracking your SSH keys. You haven't lost ssh security, but (if you can do it) it's better to use ssh between the firewall and the internal machine if you can. -- JDL Non enim propter gloriam, diuicias aut honores pugnamus set propter libertatem solummodo quam Nemo bonus nisi simul cum vita amittit.
Thanks to all for the help. I agree that ssh to both computers would be best, but one computer is a w2k box and doesn't have ssh. I've found ssh clients but not servers...that is without paying big bucks for the software. Tom On Fri, 2003-05-16 at 11:43, John Lamb wrote:
Tom Nielsen wrote:
If I ssh from outside my network into my firewall then telnet from my firewall to a network computer, have I lost the ssh security?
No. The outside<->firewall connection is encrypted. The firewall<->internal connection is not. The telnet program doesn't 'know' your logged in through an ssh connection and so ssh passphrases, etc. are hidden from the internal network.
Someone else with access to the internal network could find out what you're doing on the internal machine but someone outside your firewall cannot do so without cracking your SSH keys.
You haven't lost ssh security, but (if you can do it) it's better to use ssh between the firewall and the internal machine if you can.
-- JDL
Non enim propter gloriam, diuicias aut honores pugnamus set propter libertatem solummodo quam Nemo bonus nisi simul cum vita amittit.
-- Tom Nielsen Neuro Logic Systems 805.389.5435 x18 www.neuro-logic.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday 16 May 2003 14:19, Tom Nielsen wrote:
Thanks to all for the help. I agree that ssh to both computers would be best, but one computer is a w2k box and doesn't have ssh. I've found ssh clients but not servers...that is without paying big bucks for the software.
Tom
On Fri, 2003-05-16 at 11:43, John Lamb wrote:
Tom Nielsen wrote:
If I ssh from outside my network into my firewall then telnet from my firewall to a network computer, have I lost the ssh security?
No. The outside<->firewall connection is encrypted. The firewall<->internal connection is not. The telnet program doesn't 'know' your logged in through an ssh connection and so ssh passphrases, etc. are hidden from the internal network.
Someone else with access to the internal network could find out what you're doing on the internal machine but someone outside your firewall cannot do so without cracking your SSH keys.
You haven't lost ssh security, but (if you can do it) it's better to use ssh between the firewall and the internal machine if you can.
-- JDL
Non enim propter gloriam, diuicias aut honores pugnamus set propter libertatem solummodo quam Nemo bonus nisi simul cum vita amittit.
A VPN inside your internal network would greatly enhance the overall security of your network communications. This should be available for a MS and Linux boxes alike. - -- Thomas Jones Linux-Howtos Network Administrator OpenGPG Key: 0x6A3DF6E9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) iD8DBQE+xVI2QT2komo99ukRAkx4AKDdJlrP5JmcAvzl+wiAQP/cseXsEwCfdrra /OrfHPHS8MYnPd+SEoLNheg= =Dzkl -----END PGP SIGNATURE-----
--- Thomas Jones
-----BEGIN PGP SIGNED MESSAGE-----
A VPN inside your internal network would greatly enhance the overall security of your network communications. This should be available for a MS and Linux boxes alike.
How would you ternimate vpn session to windows box? You can initiate it from there using ssh or IPSec client but not ternimate it on it. Anyway, VPN is to get you securely into your network and not to ultimate destination box. Martin
- -- Thomas Jones Linux-Howtos Network Administrator OpenGPG Key: 0x6A3DF6E9
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)
iD8DBQE+xVI2QT2komo99ukRAkx4AKDdJlrP5JmcAvzl+wiAQP/cseXsEwCfdrra
/OrfHPHS8MYnPd+SEoLNheg= =Dzkl -----END PGP SIGNATURE-----
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
__________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday 16 May 2003 18:28, Martin wrote:
-----BEGIN PGP SIGNED MESSAGE-----
A VPN inside your internal network would greatly enhance the overall security of your network communications. This should be available for a MS and Linux boxes alike.
How would you ternimate vpn session to windows box? You can initiate it from there using ssh or IPSec client but not ternimate it on it. Anyway, VPN is to get you securely into your network and not to ultimate destination box.
Martin
There are numerous VPN applications available for both boxes. A VPN is just encapsulation within a specified encryption aware protocol. Almost all of the protocols available are fully supported by both OS's. If a VPN tunnel is sent from one box to another, and the packet is destined for that MAC address of the VPN end-nodes subnet. It is then unecrypted, stripped down for the MAC address. Being that it is now made it to the LAN, it is routed via the MAC address. Which happens to coincide with the end-nodes MAC address, thus it is sent back up the stack to appropriate layer(s) above. This is easily done. It simply makes network "pipes" throughout the LAN. This is the suggested topological structure in a highly secure environment. All communications are thusly encrypted......not just a terminal session. Even the initial SYN packet of a session connection is fully encapsulated for optimal security. There are no special flags that "terminate" a datagram. There is no need. To the underlying layers it is the same. - -- Thomas Jones Linux-Howtos Network Administrator OpenGPG Key: 0x6A3DF6E9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) iD8DBQE+xYXgQT2komo99ukRAkgwAJ96BvknVjyGRoO+sZu7Jerwh/DaJwCgzDQW +08abgivU5LaIXmQ7qfmHZo= =zM/u -----END PGP SIGNATURE-----
Tom Nielsen wrote:
Thanks to all for the help. I agree that ssh to both computers would be best, but one computer is a w2k box and doesn't have ssh. I've found ssh clients but not servers...that is without paying big bucks for the software.
Openssh comes with Cygwin. Instructions for getting sshd started are located at: http://tech.erdelynet.com/cygwin-sshd.html The only exception to the instructions is in step 6, don't add the -y flag to ssh-host-config and select no when it asks about priviledge separation. I was unable to get sshd to run when setup with the priviledge separation. Regards, Paul
Thanks for the info on Cygwin. I installed and tried that program a couple months back. Couldn't figure out how to use it in the least bit. I tried reading some information on it, but it never stuck in the old noggen. Is Cygwin just a terminal session? Any newbie sites to help me with that? Tom On Fri, 2003-05-16 at 14:33, Paul Varner wrote:
Tom Nielsen wrote:
Thanks to all for the help. I agree that ssh to both computers would be best, but one computer is a w2k box and doesn't have ssh. I've found ssh clients but not servers...that is without paying big bucks for the software.
Openssh comes with Cygwin. Instructions for getting sshd started are located at: http://tech.erdelynet.com/cygwin-sshd.html
The only exception to the instructions is in step 6, don't add the -y flag to ssh-host-config and select no when it asks about priviledge separation. I was unable to get sshd to run when setup with the priviledge separation.
Regards, Paul
-- Tom Nielsen Neuro Logic Systems 805.389.5435 x18 www.neuro-logic.com
Thanks for the info on Cygwin. I installed and tried that program a couple months back. Couldn't figure out how to use it in the least bit. I tried reading some information on it, but it never stuck in the old noggen.
Is Cygwin just a terminal session? Any newbie sites to help me with that?
Tom, Cygwin basically gives you the GNU tools on the Windows platform. You have a wide range of packages that can be installed, I primarily use it for the OpenSSH and XFree86, which then allow me to use my workstation at work as an X workstation (I connect to and use a lot of Unix boxes). The XFree doesn't have KDE or Gnome installed, but I use it with Windowmaker and it works fine for me. Finally, http://www.cygwin.com has a lot of documentation and there are mailing lists that you can join listed there as well. If you set up the SSH and use it, when you log in to the Windows box, you will be in a bash shell (which is a terminal session). If you desire to run Native Windows apps remotely, your best bet is to use VNC and tunnel it through your ssh connections. Hope this helps. Paul
participants (5)
-
John Lamb -
Martin -
Paul Varner -
Thomas Jones -
Tom Nielsen