[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Accessing the repository via Internet

From: Mike Ayers
Subject: Re: Accessing the repository via Internet
Date: Tue, 16 Jul 2002 22:28:23 -0700
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.0) Gecko/20020530

        This has gone rather OT, but...

Kaz Kylheku wrote:

> I'm sure they have; however, using ssh requires opening up a
> port from the DMZ to their internal network. In the minds of the
> super-paranoid, this introduces the risk of someone exploiting a
> security hole in ssh.

        Paranoia is good, uninformed paranoia is bad.  I'll take one good 
authentication over two bad ones and a slap-together gateway.  There's much
less likely to be a security hole in ssh (open source, constantly reviewed
code), than there is in whatever proxy gets written.

> I think that if you combine ssh with host-based access control, and
> ensure that you only allow crypto authentication, you really have
> nothing to worry about.

        ssh doesn't have unauthenticated or unencrypted modes, which is one 
thing that
makes it really popular with the security conscious.  Host based access
control, on the other hand, is easily enough defeated to not be worth doing.
In any case, with strong encryption and authentication (if it must be, then
use password strength checkers), what bonus does host based access control give?

> What you can do is nest two ssh connections. You see, you can use ssh
> to tell one machine to execute a command on a third machine using ssh.
>     ssh dmz-host 'ssh secure-host command'
> With ssh-agent forwarding, it should work. Anyway, it's worth
> investigating this ``proxy'' scheme.

        This will work if the DMZ machine permits logins and supports ssh.  It 
is a
good way to do things if the "no direct connections from the internet" rule is


reply via email to

[Prev in Thread] Current Thread [Next in Thread]