Re: is gitosis secure?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



david@xxxxxxx wrote:

On Sun, 14 Dec 2008, martin wrote:


Dear David.
Why do you trust VPN more than the SSH?
I ask because I have just removed the "first VPN then SSH" solution in favor for a SSH only solution using Gitosis just to get rid of the VPN which I believe is less secure than SSH (well until I read you comments below). 
I thought I was doing something right for once but maybe I'm not?
Thanks and best regards
Martin
in part it's that a VPN is a single point of control for all remote access. 

If you use ssh you end up exposing all the individual machines

1. data leakage of just what machines exist to possibly hostile users.
2. the many machines are configured seperatly, frequently by different people. this makes it far more likely that sometime some machine will get misconfigured.
3. people who are focused on providing features have a strong temptation to cut corners and just test that the feature works and not test that everything that isn't supposed to work actually doesn't work. as a result, in many companies there is a deliberate seperation (and tension) between a group focused on controlling and auditing access and one that is focused on creating fucntionality and features.
also from a polical/social point of view everyone recognises that if you grant someone VPN access you are trusting them, but people don't seem to think the same way with ssh. 

David Lang
I opened port 22 in the firewall to just those hosts that I need to reach, which is one in this case...the rest of the machines I cannot reach. I did a brief port scan and the thing is silent... so I don't think I reveal any of the other hosts... but I should not say is it's secure with your measures...
Your point two I don't understand... If you are in charge of the firewall you also know what machines you let people reach. If these machines are numerous then I think there is a management problem somewhere else...
Point 3 is correct but I fail to see how this is less of a problem with VPN than SSH. 

Thanks and Best regards
Martin

--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux