Eric House <[EMAIL PROTECTED]> wrote: > There seem to be two ways to allow ssh access from outside the > firewall to a host inside: 1. forward some port on the fw to the host; > 2. connect directly to sshd on the fw and use the -Lport:host:port > flag to forward an additional connection to the host. > > Is there agreement on which method is better (where "better" means > more secure, I guess)? >
To answer the security question, I believe you have to look at how often you are able to get a bug fix on each host. For example, if your are using the port forward method in #1. above, that would depend on the host you are forwarding to. I know Redhat had a security fix for the last ssh vulnerability right away. The same goes for method #2 above. Jacques Nilo had a ssh package for all the LEAF firewalls. So if the timeliness of the patches are the same, it depends on how quickly you apply the patches as to which method is more secure. > The fw and host are at home. Most of the time I'm connecting from > outside I'm either at work and want to xhost some app, or I want to > transfer a bunch of files. Occasionally I need to tweak the router, > so picking #1 above wouldn't remove the need to have sshd on the > router's floppy. This may then depend on "style" in your case. If you are more comfortable port forwarding, method #1, then use it. If you want to stop at the firewall first and then jump off to somewhere else on your home network, then pick method #2 above. Perhaps there's another task that you would want to do in the future that would affect your decision. For now it does not seem to matter which method you use in your case. However, it appears that your ssh tasks appear geared toward your internal machine--xhosting and scp files-- verses firewall maintenance. > > Connections are always from machines that have keys in the router's > (and inside host's) .ssh/authorized_keys files. Password login is > disabled. > > I'm running Bering RC2. > > Thanks, > > --Eric Hope this helps, Greg Morgan _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
