[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Root password strength





On 20/3/24 13:32, tomas@tuxteam.de wrote:
> How will a "VPN" with a "certificate" (whatever that means in this > context) be more secure than a SSH (assuming key pair authentication, > not password)? > > They are doing the same dance (key exchange, key pair validation, > session key establishment) -- the "certificate" part is just a step > further (and, BTW, SSH can do that, too), which just eases key > management (at the expense of security: you have but one more moving > part). > > The "port" thing stays the same: the VPN server uses a TCP > connection, too. > > Moving the port to a non-standard number, using fail2ban, firewall > knocking and those things don't increase security *directly* -- they > just remove noise from the logs, which eases the admin's task and > thus increase security indirectly.

Benefits of running VPN rather that VPN + SSH or even just SSH:

- VPN only has only one 'hole' in the firewall.

- Providing VPN ingress through or to your firewall is a different security model to hosting a ssh server on your firewall.

- Accessing an internal host using SSH from an internal machine is yet another security model.

- A SSH server exposed to public will have less ability to detect and counter serious probes compared to a VPN server

If you go for the arrangement I use, you need have only one security mechanism for all internal ssh servers and that mechanism will also defend in the event the firewall is breached.

Then in isolation you can develop a security strategy for your public facing VPN ports as well as firewall configuration to mitigate any breach.

Regarding certificates, I issue VPN certificates to be installed on each remote device. I don't use public key.

For ssh use I issue secret keys to each user and maintain matching public keys in LDAP servers.  SSHD servers can get the public keys in real time by using the AuthorizedKeysCommand. If a secret key is compromised I simply remove the matching public key.

[users are locked out from uploading their public key using ssh-copy-id]


Reply to: