Reverse ssh tunnel is secure solution, if configured properly and using
robust keys, access control and strong password. It keeps control over
the connection with the connecting user/site as it should be in normal
customer/supplier relationship.
I do not want to speculate about what you've heard. If you were not
told why/what the problem is, I would do due diligence on the ssh side
(patching CVE reviews, access logs, configuration, best practices, key
rotation, etc.), formally request details from the person making the
security issue claim. If the outcome is not negative for the existing
ssh proxy/tunnel a measured by data, not by fear, and there are not
other considerations against it (such as maintainability, existing VPN
infrastructure, etc.), I would recommend keeping it.
There are many FUD type claims against openSSH, openSSL,
insertYourFavouriteProtocolHere based on past issues in favor of other
closed, small, not well maintained/updated alternatives. Despite the
bad press/performance in the past, Network Time Protocol, OpenSSH and
OpenSSL are Linux Foundation Core Infrastructure Projects for a while -
with significant quantitative quality and funding improvements, reviews
and full disclosures in the open.
I hope it helps, Tomas
On Fri, 2017-03-03 at 09:13 -0800, VY wrote:
> Unfortunately, I have no access to that person anymore.
>
> Based on your experience, there were no issues that you have run into
> with
> such deployment?
>
> -v
>
>
> On Fri, Mar 3, 2017 at 9:07 AM, Robert Citek <[email protected]>
> wrote:
>
> > I would ask the person who told you that this is not secure to
> > elaborate.
> > I have worked with a number of companies that do this. So I am as
> > curious
> > as you are.
> >
> > Regards,
> > - Robert
> >
> > On Fri, Mar 3, 2017 at 9:01 AM VY <[email protected]> wrote:
> >
> > > Dear All:
> > >
> > > I am supporting a client that has product linux PCs running in
> > > the field.
> > > The person before me has built a reverse SSH tunnel (connection
> > > initiated
> > > by the device itself back to us and the connection is monitored
> > > by
> > > autossh).
> > >
> > > I was told this is not secure. I am no expert in security.
> > > What are
> > the
> > > possible issues with this approach? And what would be a more
> > > secure
> > > mechanism than reverse SSH?
> > >
> > > thanks
> > >
> > > -v
> > > _______________________________________________
> > > PLUG mailing list
> > > [email protected]
> > > http://lists.pdxlinux.org/mailman/listinfo/plug
> > >
> > _______________________________________________
> > PLUG mailing list
> > [email protected]
> > http://lists.pdxlinux.org/mailman/listinfo/plug
> >
> _______________________________________________
> PLUG mailing list
> [email protected]
> http://lists.pdxlinux.org/mailman/listinfo/plug
_______________________________________________
PLUG mailing list
[email protected]
http://lists.pdxlinux.org/mailman/listinfo/plug
