On Fri, 11 Jan 2002 11:53:47 +0100
"Reto Inversini"
Hi,
If we really want to talk paranoia :-), you could do it like that:
Put a box with some kind of VPN functionality in front of the server or do it directly on the server in question. Allow ssh only through this tunnel. From the remoteadmin box, you build up a VPN and make the ssh session through this tunnel. For the VPN, you can use some kind of key authentication, for the ssh you can use normal username/password login.
Your gain is: - someone must penetrate first your VPN - after that, they have to do the ssh-password trick - from network traffic analysis, the sniffer can't see, what kind of data is transmitted to the server - portscans won't reveal ssh
IMHO this is probably a downgrade in security over simply using ssh with key security only (no passwords) I am a very poor programmer (I'm a Networks/infrastructure guy), so I'm not going to comment personally, it seems to be the opinion of alot of people I respect that FreeSwan's code is crap. I went out to dinner with a bunch of linux hackers the night after Linux Kongress (Ted Ts'o, Rusty, Wichert etc) and one of the things we were discussing was firewalling (Rusty is the iptables and Kernel firewall code maintainer) and Oportunistic encryption. One of the nice things to do would be to include more of the ipsec capability in the native kernel, but Rusty said that he's never going to include it in it's current state, as a) buggy b) possibly/probably has remote root exploits in the userspace daemons c) doesn't hook into the rest of the kernel correctly Now I ask you. What would you prefer to run as your face to the world? - OpenSSH - Which has had holes in it, but is regularly audited by some of the best security minds in the world? - FreeSwan - Which is written by a small subset of the Linux community, and is regarded the guy who writes the linux firewall code as buggy?? My advice is don't run anything unless you need it, including VPNs :-) -- Viel Spaß Peter Nixon - nix@susesecurity.com SuSE Security FAQ Maintainer http://www.susesecurity.com/faq/ "If you think cryptography will solve the problem, then you don't understand cryptography and you don't understand your problem."