On Tue, Sep 26, 2000 at 08:58:28PM -0400, Bennett Todd wrote:
> 2000-09-26-20:34:26 Martin Pool:
> > Alternatively you could run it over an IPSEC tunnel, but that's
> > *much* more complex to install than ssh.
>
> More complex to install, and still wouldn't give the same precision
> as best I can tell. sshd can be configured to invoke a different
> server program, or a server program with different args, depending
> on what key is passed; taken together with wrapper scripts that can
> get at the originally requested commandline, this makes it possible
> to specify precisely what each key in ~/.ssh/authorized_keys is
> permitted to do. How would this effect be achieved using ipsec? I
> really think this is a job best suited to something at ssh's level
> in the protocol stack, SSL is too low-level and IPSEC is lower
> still.
The strengths and weaknesses come from being at a different level. I
agree that ssh is generally better, but you might want IPSEC if
* you want to burn the encryption cycles on the routers rather than
the servers, and there is a secure network from each server to the
router
* you already have a corporate secure WAN, and don't want to doubly
encrypt. (though personally i would go ahead and use ssh as well
until there were clearly performance problems)
* some of the machines can't run ssh for whatever reason
* you wear a belt and also braces
...
--
Martin Pool, Linuxcare, Inc.
[EMAIL PROTECTED], http://www.linuxcare.com/, +61 2 6262 8990
GPG 1024D/A0B3E88B: AFAC 578F 1841 EE6B FD95 E143 3C63 CA3F A0B3 E88B
Linuxcare. Support for the revolution.
PGP signature
