Andreas Schuldei wrote: > hi! > > now that i have ipsec in place, how do i replace ssh? i would like to > avoid double encryption, in order to not create extra work.
Hi Andreas, I recommend not to replace ssh even in the presence of IPsec. Accept the fact that traffic is encrypted and authenticated twice. I think the impact on performance is negligible. The advantage is that you only have to maintain a single daemon on the server side. You don't need to take care of another server daemon for rsh. It's also more comfortable from a user perspective. The rule of thumb is: "Remote access == ssh". The user does not need to decide between ssh and rsh which would require him to be aware of the underlying network infrastructure. > > how well do rsh, rcp and friend perform? i see there is a package > rsh-redone-server (and client) in debian, working over inetd. does > anyone use those? did someone come up with a useful set of iptable > rules in order to allow the use of the respective ports only when > coming from esp (or whatever good criteria there might be)? Can you read German? If yes, check out http://www.linux-magazin.de/heft_abo/ausgaben/2006/08/doppelnase If not, then search for "ipsec policy match". The man page of iptables also provides some pieces of information. Type in "man iptables" and search for "This modules matches the policy used by IPsec for handling a packet." -Daniel _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
