[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSH & VPN's

To: klug@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: SSH & VPN's
From: Bruce Smith <bruce@xxxxxxxxxxx>
Date: Mon, 22 Dec 1997 21:41:12 EST
In-Reply-To: <9712221827.ZM1047@estate1.whitemice.org>; from "Adam Williams" at Dec 22, 97 6:27 pm

> What actually led me to SSH was the Linux VPN-mini-HOWTO.  VPN = Virtual
> Private Network,  or creating encrypted connections between networks over the
> internet.  Because dialing into a getty/login doesn't cut it any more,  and I
> want to get away from having to support dial in modems (YUCK).  If I can get
> this to work I hope to be able to run telnet, X, and ICA (NT/Winframe) just
> like I can from my workstation at the office. Although much slower. I'm 99.44%
> of the way to having it working.  You actually run pppd over the pts allocated
> for the SSH session!  Like an interface within an interface,  whoever came up
> with that is brilliant.

I also use SSH as a kind of a VPN.  It works great, in fact I'm using
it right now doing my email.  I live in Portage and work in Three Rivers.  
This way I can connect into work with only a local phone call (to my ISP)
instead of long distance to Three Rivers.  Saves a ton of money.

I never tried ICA once I'm connected in.  I'll have to play with that.  
We have a couple NTrigue servers that can accept ICA or X connections.

I believe the security of SSH is excellent, but I took it one step
farther.  My sshd_config file has all remote IP addresses denied.
I then wrote a front end network/socket program that does a sort
of one time password scheme that I came up with myself.  So before
I can do a slogin or ssh command, I have to authenticate myself
with my front end program, otherwise sshd will not let me connect.
The one-time password is random each time, and I have to decode it 
with a different program on my home PC, and send back the right 
challenge key and then it notifies sshd to let me in.  A cron job 
on the host removes old IP address from sshd later.

Call me paranoid about security, but I have the firewall set
to the strictest it can be, and proxy almost all outgoing 
and incomming connections (including SMTP) thru a proxy
server setting outside my firewall.  Better safe than . . .

--------------------------------------------
Bruce Smith                bruce@armintl.com
System Administrator / Network Administrator
Armstrong International, Inc.
Three Rivers, Michigan  49093  USA
--------------------------------------------

Follow-Ups:
- Re: SSH & VPN's
  - From: Scott Yellig

References:
- Re: SSH & VPN's
  - From: Adam Williams

Prev by Date: Re: SSH & VPN's
Next by Date: Re: SSH & VPN's
Prev by thread: Re: SSH & VPN's
Next by thread: Re: SSH & VPN's
Index(es):
- Date
- Thread