topic Re: ipsec tunnel more secure than ssh? in Operating System - Linux

ipsec tunnel more secure than ssh?

'chris' — Sat, 02 Jan 2010 19:35:12 GMT

Hi

I'd like to rsync some data between 2 linux machines over the Internet.
Is ipsec vpn tunnel more secure than ssh with a quite long and complicated password?

Re: ipsec tunnel more secure than ssh?

Michal Kapalka (mikap) — Sat, 02 Jan 2010 22:16:51 GMT

hi,

check this link :

http://www.schumi.ch/partner/SSHvsVPN.htm

- ok to your solution, for rsync only between two server somewhere on the internet you could use, only ssh, but if this servers are inside the DMZ/intranet, them you could use VPN/IPSEC to create connection between corporate lan and internet placed server, and them if you have access use rsynv over SSH.

mikap

Re: ipsec tunnel more secure than ssh?

Florian Heigl (new acc) — Wed, 06 Jan 2010 03:43:32 GMT

If you wanna ramp up the security for the ssh connection, you could use

the "command" and "from" settings in the file authorized_keys, which will allow the key-based access only from the "correct" server and will only allow him to run rsync.

A VPN will actually allow more access to the "authorized client" than a firewall restricted ssh will do, but opening up ssh just for rsync might be something to reconsider multiple times. If you don't have to, then don't make ssh available.

The actual transmission should be as secure with ssh than via a vpn, as they share most algorithms used for the encryption.

Re: ipsec tunnel more secure than ssh?

'chris' — Wed, 06 Jan 2010 05:26:46 GMT

>the "command" and "from" settings in the >file authorized_keys, which will allow the >key-based access only from the "correct" >server and will only allow him to run rsync.

Thx, but can u pls give some more details how this should work?

Re: ipsec tunnel more secure than ssh?

Steven E. Protter — Wed, 06 Jan 2010 16:06:50 GMT

Shalom,

These are two totally different, yet compatible technologies.

You could connect via an IPSEC/VPN and then rsync.

This would provide two layers of protection.

There is some configuration work to do, but it can be done.

Frankly however, rsync -e ssh and password free ssh authentication is good enough for most purposes. Only the NSA or people having very powerful computers have a chance to crack the encryption and that would take days or weeks of effort.

SEP

Re: ipsec tunnel more secure than ssh?

Matti_Kurkela — Wed, 06 Jan 2010 17:06:54 GMT

>the "command" and "from" settings in the file authorized_keys

These are documented in the sshd man page, in the chapter titled "AUTHORIZED_KEYS FILE FORMAT". There's even an example authorized_keys file, demonstrating various settings.

MK