david@xxxxxxx writes: > On Sun, 14 Dec 2008, martin wrote: > > > Dear David. > > Why do you trust VPN more than the SSH? > > I ask because I have just removed the "first VPN then SSH" solution > > in favor for a SSH only solution using Gitosis just to get rid of > > the VPN which I believe is less secure than SSH (well until I read > > you comments below). > > I thought I was doing something right for once but maybe I'm not? > > Thanks and best regards > > Martin > > in part it's that a VPN is a single point of control for all remote > access. > > If you use ssh you end up exposing all the individual machines > > 1. data leakage of just what machines exist to possibly hostile users. Errr... what? One of established practices is expose only _one_ machine to outside; you have to SSH to gateway. > 2. the many machines are configured seperatly, frequently by different > people. this makes it far more likely that sometime some machine will > get misconfigured. See above. > 3. people who are focused on providing features have a strong > temptation to cut corners and just test that the feature works and not > test that everything that isn't supposed to work actually doesn't > work. as a result, in many companies there is a deliberate seperation > (and tension) between a group focused on controlling and auditing > access and one that is focused on creating fucntionality and features. And that differs from VPN in what way? > also from a polical/social point of view everyone recognises that if > you grant someone VPN access you are trusting them, but people don't > seem to think the same way with ssh. Errr... what? I think everybody knows that unrestricted SSH access (without limiting done by shell used) means that you trust user. -- Jakub Narebski Poland ShadeHawk on #git -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
