[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Accessing the repository via Internet
|
From: |
Mike Ayers |
|
Subject: |
Re: Accessing the repository via Internet |
|
Date: |
Tue, 16 Jul 2002 22:28:23 -0700 |
|
User-agent: |
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.0) Gecko/20020530 |
This has gone rather OT, but...
Kaz Kylheku wrote:
> I'm sure they have; however, using ssh requires opening up a
> port from the DMZ to their internal network. In the minds of the
> super-paranoid, this introduces the risk of someone exploiting a
> security hole in ssh.
Paranoia is good, uninformed paranoia is bad. I'll take one good
secured
authentication over two bad ones and a slap-together gateway. There's much
less likely to be a security hole in ssh (open source, constantly reviewed
code), than there is in whatever proxy gets written.
> I think that if you combine ssh with host-based access control, and
> ensure that you only allow crypto authentication, you really have
> nothing to worry about.
ssh doesn't have unauthenticated or unencrypted modes, which is one
thing that
makes it really popular with the security conscious. Host based access
control, on the other hand, is easily enough defeated to not be worth doing.
In any case, with strong encryption and authentication (if it must be, then
use password strength checkers), what bonus does host based access control give?
> What you can do is nest two ssh connections. You see, you can use ssh
> to tell one machine to execute a command on a third machine using ssh.
>
> ssh dmz-host 'ssh secure-host command'
>
> With ssh-agent forwarding, it should work. Anyway, it's worth
> investigating this ``proxy'' scheme.
This will work if the DMZ machine permits logins and supports ssh. It
is a
good way to do things if the "no direct connections from the internet" rule is
unwaivable.
/|/|ike