On Fri, Dec 25, 2009 at 10:37 PM, Daniel Mentz <[email protected]> wrote: > Andreas Schuldei wrote: >> now that i have ipsec in place, how do i replace ssh? i would like to >> avoid double encryption, in order to not create extra work. > > I recommend not to replace ssh even in the presence of IPsec. Accept the > fact that traffic is encrypted and authenticated twice. I think the impact > on performance is negligible.
i certainly wont remove ssh from the computers involved. however i would like to (at least) know how much the performance impact of double encryption is, so that i make an informed decision. > The advantage is that you only have to maintain a single daemon on the > server side. You don't need to take care of another server daemon for rsh. indeed: rsh runs on the same port as tcp syslog, and i would a) need to move the rsh port to avoid conflicts, b) set up iptables rules forbidding rlogin and rsh access not coming over ipsec and c) duplicate infrastructure for moving around data that is in place and working for ssh. even worse: on top of the additional effort, the system might become less robust. however, since we have automated system configuration (with FAI) the efford would be done once and then rolled out on all machines automatically, more or less by itself. > It's also more comfortable from a user perspective. The rule of thumb is: > "Remote access == ssh". The user does not need to decide between ssh and rsh > which would require him to be aware of the underlying network > infrastructure. > >> >> how well do rsh, rcp and friend perform? i see there is a package >> rsh-redone-server (and client) in debian, working over inetd. does >> anyone use those? did someone come up with a useful set of iptable >> rules in order to allow the use of the respective ports only when >> coming from esp (or whatever good criteria there might be)? > > Can you read German? If yes, check out > > http://www.linux-magazin.de/heft_abo/ausgaben/2006/08/doppelnase > > If not, then search for "ipsec policy match". The man page of iptables also > provides some pieces of information. Type in "man iptables" and search for > "This modules matches the policy used by IPsec for handling a packet." perfect, thanks. _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
