Hi Ankur,
These are the pros and cons of using ssh:
[+] All connections between your server and the remote machine will be
completely encrypted. No passwords will ever travel in clear text.
[+] You can optionally compress the connection if you have a slow
connection. I do that regularly and get much better speeds than from
a telnet.
[+/-] You can use ssh to tunnel other protocols, e.g. use it to access
POP mail in a secure manner without having to use APOP. The - is
there since some people could consider tunneling a potential security
hole.
[+] You can force connections to any combination of remote host,
remote user and local user, securely. E.g. you could setup ssh to
only accept connections from ``ankur@Ankur Agrawal's PC'' and no other
machine/user, irrespective of which IP Ankur is at.
[+] You can do secure file transfers and, IMO more important, secure
rsync between the client and the server.
[+] Ssh is open source and hence IMHO more secure than running some
binary-only commercial product. Ssh has an excellent legacy of secure
use behind it, so the ``everyone uses it, it must be good'' argument
is no more valid for any commercial product than it is for ssh.
[-] Ssh is a login protocol, and hence subject to more or less the
same kind of abuse that other login protocols are. For instance, if
you don't restrict hosts which can tunnel through your firewall, your
ssh server is potentially vulnerable to brute force password attacks.
This goes for commercial firewalls too unless they use another
authentication method (see next point).
[-] Ssh doesn't support all the authentication methods which
commercial firewalls do, e.g. Smart cards.
You could also consider using IPSec (e.g. FreeS/WAN), but tunneling
that through a firewall could become a major pain unless your firewall
is ipchains.
Regards,
-- Raju
>>>>> "Ankur" == Ankur Agrawal <[EMAIL PROTECTED]> writes:
Ankur> If I understand it correctly, the only way this Wiley guy
Ankur> can break in is by cracking the encryption, right ? And he
Ankur> can't expect to do it in less than a couple of days,if not
Ankur> weeks or months, with the curent key lengths and processing
Ankur> power. But are there other holes opened up because the
Ankur> firewall has a port open for ssh ? I mean, while that port
Ankur> is not being used by ssh, can somebody use this port to try
Ankur> and get access to a machine inside the firewall ?
Ankur> dialling in is not really an option for me, as I use DSL at
Ankur> home.
Ankur> Ankur
>> -----Original Message----- From: Sudhakar Chandra
>> [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 09, 2000
>> 11:29 AM To: [EMAIL PROTECTED] Subject:
>> Re: [LIH] need ssh info
>>
>>
>> Ankur Agrawal proclaimed: > my company's sysadmin is reluctant
>> to give me ssh access to the LAN from > outside. > I read
>> somewhere that ssh is safer compared to dial-in, for accessing
>> > machines inside a firewall from the outside world. > Would
>> anyone know of any specific site/article that talks about it ?
>>
>> Actually, IMO, the safest way to access machines behind the
>> firewall is by dialling into a modem rack behind the firewall.
>> That way, you have a dedicated connection between your machine
>> and the machine you are dialling into. Someone would have to
>> have physical access to the phone loop between you and the
>> remote machine to break in.
>>
>> ssh is pretty safe. But the problem is when you ssh into a
>> machine behind the firewall (or the actual firewall itself),
>> the packets flow through various machines on the open internet.
>> J. Wiley Cracker could, theoretically, sniff your packets
>> passing through his machine and break in. It is possible, but
>> IMO, rare at the moment.
>>
>> Thaths -- Homer: Mel Gibson is just a guy Marge, no different
>> than me or Lenny. Marge: Were you or Lenny ever named Sexiest
>> Man Alive? Homer: Hmmm, I'm not certain about Lenny ...
>> Sudhakar C13n http://www.aunet.org/thaths/ Lead Indentured
>> Slave
>>
>> ---------------------------------------------- An alpha version
>> of a web based tool to manage your subscription with this
>> mailing list is at
>> http://lists.linux-india.org/cgi-bin/mj_wwwusr
>>
Ankur> ---------------------------------------------- Find out
Ankur> more about this and other Linux India mailing lists at
Ankur> http://lists.linux-india.org/
----------------------------------------------
An alpha version of a web based tool to manage
your subscription with this mailing list is at
http://lists.linux-india.org/cgi-bin/mj_wwwusr
