savannah-hackers-public
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org


From: Bernie Innocenti
Subject: Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org Dom0 upgrade
Date: Mon, 21 Feb 2011 23:25:36 -0500

On Tue, 2011-02-22 at 00:22 +0100, Jim Meyering wrote:

>[...]
> 
> Wrong comparison.
> Compare using fwknop-and-alt-ssh-port to agent-fwd-through-fencepost.
> The former is more secure.

Ok, I'd like to propose an entirely different solution: we already
employ openvpn to access the FSF internal lan from remote clients. We
could setup a separate VPN for the Savannah machines.

The SSL certificate can be password protected and would be accessed only
from the openvpn daemon, so it doesn't have to be readable by the user
account (it doesn't even need to be on the same machine).

It seems to be both more secure and more convenient than fwknop,
especially when we have to deal with multiple machines. It's also not to
hard to setup.


--- BEGIN off topic ---

> The TCO of SELinux for the vast majority (since F14, maybe since F13)
> has been zero, because most things "just work."

This is true only for plain desktops and trivial servers that don't
require any major change to the default configuration. Every time I did
something serious, eventually I was forced to either turn off SElinux or
start programming in obscure-language-for-custom-policy-definition.

--- END off topic ---

-- 
Bernie Innocenti
Systems Administrator, Free Software Foundation




reply via email to

[Prev in Thread] Current Thread [Next in Thread]