another security question

E Frank Ball frankb at efball.com
Sun Mar 10 14:10:29 PST 2002


On Sun, Mar 10, 2002 at 01:58:33PM -0800, augie wrote:
} ok lets say i've got an always on connection at home, and i have a 
} firewall/gateway between my internal LAN, and the internet.
} 
} now suppose i am at school, and i've forgotten a file at home. luckily i have 
} my laptop with me, and both my gateway and the machine where the file resides 
} are up. what would be the best setup security wise to retrieve my file?
} 
} Solution A:
} on the laptop in a .ssh/config file tell it when connecting to the gateway to 
} use port 30 instead of port 22. thus limiting some direct scans on the 
} gateway.
} then on the gateway forward all port 30 requests to the internal machine 
} which will be running sshd, and will only accept RSA key authentication, no 
} passwords.

I do this to directly access my internal machines without having to
daisy chain thru my firewall machine.  I don't use port 30, I use
something >40000.

} Solution B:
} same laptop setup as Solution A, but this time instead of forwarding port 30 
} just run sshd on the gateway, and again only accept RSA key authentication.
} then from the gateway ssh into the internal machine, again using key 
} authentication.

I run ssh directly on my firewall on port 22.  Yes I get scanned, but if
you keep it upto date that's ok.  The previous security hole in ssh was
found last February.  I updated it the next day, but people didn't start
scanning for that hole for quite a while after that.  I've now updated
to openssh 3.1.


} i have reservations about both methods.
} Solution A troubles me because anyone smart enough or lucky enough to just 
} try port 30 on the gateway would be let right in to the internal network.
} in Solution B i am concerned about keeping private keys on a public machine.

You could carry the keys on a floppy.  I have my ssh keys on my machines
at work, but they aren't quite "public".  If I'm on some "other" machine
I just use my password.  Use good passwords and pass phrases and you
should be ok either way.

-- 

   E Frank Ball                frankb at efball.com



More information about the talk mailing list