[Discuss] vnc

[markw at mohawksoft.com (markw at mohawksoft.com)]

> On 8/24/2014 12:22 PM, markw at mohawksoft.com wrote:
>> I would opt to use openvpn instead of an SSH tunnel. You have a better
>> control over security and "ease."
>
> Meh. Shell access is an on/off toggle. Changing how you flip this toggle
> doesn't offer better or worse security, nor does it make anything
> intrinsically easier or more difficult. One can just as easily manage
> access with PAM and LDAP groups.

SSH is a very BAD thing to open up to the free internet. BAD BAD BAD. 
Once in, you are in. Shell access is dangerous.

Lets break it down:


SSH opens a hole through which many security exploits can come through.

SSH tunnels don't allow proper accounting of who is accessing resources.

SSH only recently supports a PKI that allows a single master cert,
unfortunately, you have no way to expire keys, and no one knows how to use
it and all the non-openssh clients don't support it.

Because of the previous problem, you need to add a key to every server or
maintain passwords in the form of LDAP or some PAM module. (yuck)

(One caveat to these statements is that much can be done with a pam
module, but openvpn does these things and WAY more out of the box.)

openvpn has a PKI that allows properly authorized keys to be issued
without touching target servers.

openvpn allows secure access to the network, then you can add more
security at the service level.

openvpn operates on its own network and virtual adapter. This clearly
identifies the origin of the connection and can allow proper firewalling.

openvpn can log every user access with an assigned ip address so that
breaches can be tracked. Access from an SSH client only shows its host's
IP address.


>
> I think of it this way: If users need access to everything on an
> isolated network then a VPN usually is the better choice. Otherwise SSH
> is the better choice. Right tool for the job and all that.

I really hate "right tool for right job" arguments because once you read
one, it is usually an excuse for doing something wrong or being lazy.

An ssl session, by definition, opens up network access to everything. Why
not then use a VPN to do it right?


>
> That said, I'd avoid using OpenVPN. I don't like X.509. I want X.509 to
> die in a fire. I want it to die painfully and permanently and never
> bother anyone ever again. For Linux to Linux I'd use Layer 3 tunneling
> over SSH using sshuttle to handle the heavy lifting.

Well, the security industry did the work long ago and VPN is the more
secure way to allow access. You can hack around with SSH, and if its just
your home server, "Farewell and adieu to you, fair Spanish ladies."

If you want a professional access system that can be deployed securely,
ssh will be laughed out of the room.

>
> --
> Rich P.
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss
>