Thanks for the reply, I am now much more comfortable with this solution -v
On Fri, Mar 3, 2017 at 2:28 PM, chris (fool) mccraw <[email protected]> wrote: > I too have never heard of any problem with this setup (which I've also used > with success, including the autossh part). Would be curious to know if > anyone has substantive issues they can point to rather than scuttlebutt! > > On Fri, Mar 3, 2017 at 1:10 PM, Tom <[email protected]> wrote: > > > Reverse ssh tunnel is secure solution, if configured properly and using > > robust keys, access control and strong password. It keeps control over > > the connection with the connecting user/site as it should be in normal > > customer/supplier relationship. > > I do not want to speculate about what you've heard. If you were not > > told why/what the problem is, I would do due diligence on the ssh side > > (patching CVE reviews, access logs, configuration, best practices, key > > rotation, etc.), formally request details from the person making the > > security issue claim. If the outcome is not negative for the existing > > ssh proxy/tunnel a measured by data, not by fear, and there are not > > other considerations against it (such as maintainability, existing VPN > > infrastructure, etc.), I would recommend keeping it. > > There are many FUD type claims against openSSH, openSSL, > > insertYourFavouriteProtocolHere based on past issues in favor of other > > closed, small, not well maintained/updated alternatives. Despite the > > bad press/performance in the past, Network Time Protocol, OpenSSH and > > OpenSSL are Linux Foundation Core Infrastructure Projects for a while - > > with significant quantitative quality and funding improvements, reviews > > and full disclosures in the open. > > I hope it helps, Tomas > > On Fri, 2017-03-03 at 09:13 -0800, VY wrote: > > > Unfortunately, I have no access to that person anymore. > > > > > > Based on your experience, there were no issues that you have run into > > > with > > > such deployment? > > > > > > -v > > > > > > > > > On Fri, Mar 3, 2017 at 9:07 AM, Robert Citek <[email protected]> > > > wrote: > > > > > > > I would ask the person who told you that this is not secure to > > > > elaborate. > > > > I have worked with a number of companies that do this. So I am as > > > > curious > > > > as you are. > > > > > > > > Regards, > > > > - Robert > > > > > > > > On Fri, Mar 3, 2017 at 9:01 AM VY <[email protected]> wrote: > > > > > > > > > Dear All: > > > > > > > > > > I am supporting a client that has product linux PCs running in > > > > > the field. > > > > > The person before me has built a reverse SSH tunnel (connection > > > > > initiated > > > > > by the device itself back to us and the connection is monitored > > > > > by > > > > > autossh). > > > > > > > > > > I was told this is not secure. I am no expert in security. > > > > > What are > > > > the > > > > > possible issues with this approach? And what would be a more > > > > > secure > > > > > mechanism than reverse SSH? > > > > > > > > > > thanks > > > > > > > > > > -v > > > > > _______________________________________________ > > > > > PLUG mailing list > > > > > [email protected] > > > > > http://lists.pdxlinux.org/mailman/listinfo/plug > > > > > > > > > _______________________________________________ > > > > PLUG mailing list > > > > [email protected] > > > > http://lists.pdxlinux.org/mailman/listinfo/plug > > > > > > > _______________________________________________ > > > PLUG mailing list > > > [email protected] > > > http://lists.pdxlinux.org/mailman/listinfo/plug > > _______________________________________________ > > PLUG mailing list > > [email protected] > > http://lists.pdxlinux.org/mailman/listinfo/plug > > > _______________________________________________ > PLUG mailing list > [email protected] > http://lists.pdxlinux.org/mailman/listinfo/plug > _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
