BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] vnc
- Subject: [Discuss] vnc
- From: markw at mohawksoft.com (markw at mohawksoft.com)
- Date: Mon, 25 Aug 2014 08:51:27 -0400
- In-reply-to: <53FA1C3B.70908@gmail.com>
- References: <53F9F6B9.4060505@stephenadler.com> <20140824161132.GE14848@randomstring.org> <be314521ab6bebb6add54d706b042f01.squirrel@mail.mohawksoft.com> <53FA1C3B.70908@gmail.com>
> On 8/24/2014 12:22 PM, markw at mohawksoft.com wrote: >> I would opt to use openvpn instead of an SSH tunnel. You have a better >> control over security and "ease." > > Meh. Shell access is an on/off toggle. Changing how you flip this toggle > doesn't offer better or worse security, nor does it make anything > intrinsically easier or more difficult. One can just as easily manage > access with PAM and LDAP groups. SSH is a very BAD thing to open up to the free internet. BAD BAD BAD. Once in, you are in. Shell access is dangerous. Lets break it down: SSH opens a hole through which many security exploits can come through. SSH tunnels don't allow proper accounting of who is accessing resources. SSH only recently supports a PKI that allows a single master cert, unfortunately, you have no way to expire keys, and no one knows how to use it and all the non-openssh clients don't support it. Because of the previous problem, you need to add a key to every server or maintain passwords in the form of LDAP or some PAM module. (yuck) (One caveat to these statements is that much can be done with a pam module, but openvpn does these things and WAY more out of the box.) openvpn has a PKI that allows properly authorized keys to be issued without touching target servers. openvpn allows secure access to the network, then you can add more security at the service level. openvpn operates on its own network and virtual adapter. This clearly identifies the origin of the connection and can allow proper firewalling. openvpn can log every user access with an assigned ip address so that breaches can be tracked. Access from an SSH client only shows its host's IP address. > > I think of it this way: If users need access to everything on an > isolated network then a VPN usually is the better choice. Otherwise SSH > is the better choice. Right tool for the job and all that. I really hate "right tool for right job" arguments because once you read one, it is usually an excuse for doing something wrong or being lazy. An ssl session, by definition, opens up network access to everything. Why not then use a VPN to do it right? > > That said, I'd avoid using OpenVPN. I don't like X.509. I want X.509 to > die in a fire. I want it to die painfully and permanently and never > bother anyone ever again. For Linux to Linux I'd use Layer 3 tunneling > over SSH using sshuttle to handle the heavy lifting. Well, the security industry did the work long ago and VPN is the more secure way to allow access. You can hack around with SSH, and if its just your home server, "Farewell and adieu to you, fair Spanish ladies." If you want a professional access system that can be deployed securely, ssh will be laughed out of the room. > > -- > Rich P. > _______________________________________________ > Discuss mailing list > Discuss at blu.org > http://lists.blu.org/mailman/listinfo/discuss >
- Follow-Ups:
- [Discuss] vnc
- From: blu at nedharvey.com (Edward Ned Harvey (blu))
- [Discuss] vnc
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] vnc
- References:
- [Discuss] vnc
- From: adler at stephenadler.com (Stephen Adler)
- [Discuss] vnc
- From: dsr at randomstring.org (Dan Ritter)
- [Discuss] vnc
- From: markw at mohawksoft.com (markw at mohawksoft.com)
- [Discuss] vnc
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] vnc
- Prev by Date: [Discuss] vnc
- Next by Date: [Discuss] vnc
- Previous by thread: [Discuss] Why the dislike of X.509?
- Next by thread: [Discuss] vnc
- Index(es):