[PLUG] Reverse SSH tunnel
chris (fool) mccraw
gently at gmail.com
Fri Mar 3 22:28:52 UTC 2017
I too have never heard of any problem with this setup (which I've also used
with success, including the autossh part). Would be curious to know if
anyone has substantive issues they can point to rather than scuttlebutt!
On Fri, Mar 3, 2017 at 1:10 PM, Tom <tomas.kuchta.lists at gmail.com> wrote:
> Reverse ssh tunnel is secure solution, if configured properly and using
> robust keys, access control and strong password. It keeps control over
> the connection with the connecting user/site as it should be in normal
> customer/supplier relationship.
> I do not want to speculate about what you've heard. If you were not
> told why/what the problem is, I would do due diligence on the ssh side
> (patching CVE reviews, access logs, configuration, best practices, key
> rotation, etc.), formally request details from the person making the
> security issue claim. If the outcome is not negative for the existing
> ssh proxy/tunnel a measured by data, not by fear, and there are not
> other considerations against it (such as maintainability, existing VPN
> infrastructure, etc.), I would recommend keeping it.
> There are many FUD type claims against openSSH, openSSL,
> insertYourFavouriteProtocolHere based on past issues in favor of other
> closed, small, not well maintained/updated alternatives. Despite the
> bad press/performance in the past, Network Time Protocol, OpenSSH and
> OpenSSL are Linux Foundation Core Infrastructure Projects for a while -
> with significant quantitative quality and funding improvements, reviews
> and full disclosures in the open.
> I hope it helps, Tomas
> On Fri, 2017-03-03 at 09:13 -0800, VY wrote:
> > Unfortunately, I have no access to that person anymore.
> >
> > Based on your experience, there were no issues that you have run into
> > with
> > such deployment?
> >
> > -v
> >
> >
> > On Fri, Mar 3, 2017 at 9:07 AM, Robert Citek <robert.citek at gmail.com>
> > wrote:
> >
> > > I would ask the person who told you that this is not secure to
> > > elaborate.
> > > I have worked with a number of companies that do this. So I am as
> > > curious
> > > as you are.
> > >
> > > Regards,
> > > - Robert
> > >
> > > On Fri, Mar 3, 2017 at 9:01 AM VY <vyau5678 at gmail.com> wrote:
> > >
> > > > Dear All:
> > > >
> > > > I am supporting a client that has product linux PCs running in
> > > > the field.
> > > > The person before me has built a reverse SSH tunnel (connection
> > > > initiated
> > > > by the device itself back to us and the connection is monitored
> > > > by
> > > > autossh).
> > > >
> > > > I was told this is not secure. I am no expert in security.
> > > > What are
> > > the
> > > > possible issues with this approach? And what would be a more
> > > > secure
> > > > mechanism than reverse SSH?
> > > >
> > > > thanks
> > > >
> > > > -v
> > > > _______________________________________________
> > > > PLUG mailing list
> > > > PLUG at lists.pdxlinux.org
> > > > http://lists.pdxlinux.org/mailman/listinfo/plug
> > > >
> > > _______________________________________________
> > > PLUG mailing list
> > > PLUG at lists.pdxlinux.org
> > > http://lists.pdxlinux.org/mailman/listinfo/plug
> > >
> > _______________________________________________
> > PLUG mailing list
> > PLUG at lists.pdxlinux.org
> > http://lists.pdxlinux.org/mailman/listinfo/plug
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>
More information about the PLUG
mailing list