Re: [leaf-user] ssh to host behind firewall: connect direct or through router?

[Greg Morgan]

Eric House [EMAIL PROTECTED] wrote:
 
 There seem to be two ways to allow ssh access from outside the
 firewall to a host inside: 1. forward some port on the fw to the host;
 2. connect directly to sshd on the fw and use the -Lport:host:port
 flag to forward an additional connection to the host.
 
 Is there agreement on which method is better (where better means
 more secure, I guess)?
 

To answer the security question, I believe you have to look at how often
you are able to get a bug fix on each host.  For example, if your are
using the port forward method in #1. above, that would depend on the
host you are forwarding to.  I know Redhat had a security fix for the
last ssh vulnerability right away.  The same goes for method #2 above.
Jacques Nilo had a ssh package for all the LEAF firewalls.  So if the
timeliness of the patches are the same, it depends on how quickly you
apply the patches as to which method is more secure.

 The fw and host are at home.  Most of the time I'm connecting from
 outside I'm either at work and want to xhost some app, or I want to
 transfer a bunch of files.  Occasionally I need to tweak the router,
 so picking #1 above wouldn't remove the need to have sshd on the
 router's floppy.

This may then depend on style in your case.  If you are more
comfortable port forwarding, method #1, then use it.  If you want to
stop at the firewall first and then jump off to somewhere else on your
home network, then pick method #2 above.  Perhaps there's another task
that you would want to do in the future that would affect your
decision.  For now it does not seem to matter which method you use in
your case.  However, it appears that your ssh tasks appear geared toward
your internal machine--xhosting and scp files-- verses firewall
maintenance.

 
 Connections are always from machines that have keys in the router's
 (and inside host's) .ssh/authorized_keys files.  Password login is
 disabled.
 
 I'm running Bering RC2.
 
 Thanks,
 
 --Eric

Hope this helps,
Greg Morgan

___

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm


leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] ssh to host behind firewall: connect direct or through router?

[Eric House]

There seem to be two ways to allow ssh access from outside the
firewall to a host inside: 1. forward some port on the fw to the host;
2. connect directly to sshd on the fw and use the -Lport:host:port
flag to forward an additional connection to the host.

Is there agreement on which method is better (where better means
more secure, I guess)?

The fw and host are at home.  Most of the time I'm connecting from
outside I'm either at work and want to xhost some app, or I want to
transfer a bunch of files.  Occasionally I need to tweak the router,
so picking #1 above wouldn't remove the need to have sshd on the
router's floppy.

Connections are always from machines that have keys in the router's
(and inside host's) .ssh/authorized_keys files.  Password login is
disabled.

I'm running Bering RC2.

Thanks,

--Eric

**
* From the desktop of: Eric House, [EMAIL PROTECTED]*
*Crosswords 4.0 for PalmOS is out!: http://www.peak.org/~fixin/xwords  *
**


___

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm


leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html