david@xxxxxxx writes: > this is really a reply to an earlier message that I deleted. > > the question was asked 'what would the security people like instead of > SSH' > > as a security person who doesn't like how ssh is used for everything, > let me list a couple of concerns. > > ssh is default allow (it lets you run any commands), you can lock it > down with effort. How is VPN better than that? > ssh defaults to establishing a tunnel between machines that other > network traffic can use to bypass your system. yes I know that with > enough effort and control of both systems you can tunnel over > anything, the point is that ssh is eager to do this for you (overly > eager IMHO) How is VPN better than that? > ssh depends primarily on certificates that reside on untrusted > machines. it can be made to work with tokens or such, but it takes a > fair bit of effort. There probably VPN differs... > sshd runs as root on just about every system And VPN doesn't? [...] The idea with using SSH was, I think, that it is easier and better to use existing solution for authentication and authorization than roll your own (see the case of CVS pserver, and Subversion svnserve). -- Jakub Narebski Poland ShadeHawk on #git -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
