tags:

views:

490

answers:

4
Q: 

ssh/VPN access from dynamic IPs / while travelling. knockd or dynDNS based authentication?

What are the advantages and disadvantages of using knockd vs. using dynamic DNS based authentication for ssh or VPN logins from a dynamic IP address or while travelling (i.e. some random hotel IP)? Ideally, any device with ssh/VPN client capability should be able to use whatever additional client software is necessary.

(The alternative, keeping the ssh / VPN ports open for everyone, isn't very attractive.)

I tend to favor knockd (or other port knocking daemons) because it does not rely on a 3rd party keeping its stuff uncompromised ...

A: 

Well, unless you use DNSSEC, DNS-based authentication is a rather bad idea. DNS is not secure and hotel providers very often munge with DNS.

bortzmeyer  2009-01-05 12:23:13
A: 

Myself, I use ssh on a non-standard port, accepting only user logins with key files.

When I ran ssh on port 22, there was a lot of dictionary attacks, but they all used the 'root' user (who was not allowed to log in over ssh anyway).

gnud  2009-01-05 12:29:59
+3  A: 

Are you really afraid of keeping your SSH port open? What's going to happen?

You've denied root access, you've installed something like BFD or denyhosts, you only use public key authentication... do you really think that this is not secure?

The addition of something like knockd is, IMHO, likely to introduce a false sense of security.

Mikeage  2009-01-05 12:59:51
What's going to happen? Something like the recent Debian OpenSSL/SSH desaster ...
mjy  2009-01-05 17:28:04
And knockd puts a nice layer of obscurity on top of it. I understand your concern, but I'd suspect that knockd is less secure (i.e., more likely to have a bug) than openssl; the debian debacle notwithstanding. Layered security is not bad, but you also have to make sure that your remote access method
Mikeage  2009-01-05 18:01:36
[cont] allows you to connect on those ports; I've seen hotspots and hotels that block many ports (even including 22, sometimes); what are the odds that your knock won't be possible? Do you know your remote environment well enough to ensure that it will allow what you need?
Mikeage  2009-01-05 18:02:39
+1 good point. See comments of http://stackoverflow.com/questions/487737. 9 down, 6 to go (1 per day) – VonC
VonC  2009-02-18 07:13:19
A: 

Even if you keep SSH port closed, you could only leave openvpn's port open (and let openssh listen only on a vpn interface).

MatthieuP  2009-01-05 13:06:39

related questions

Is there a better Java implementation of SSH2 than JSch?
Check out from a remote SVN repository TO a remote location?
Download files to local drive when sshed
Are there any good free .Net network libraries? (FTP, SFTP, SSH, etc.)
How do you install an ssh server on qnx?
How do I remove the passphrase for the SSH key without having to create a new key?
ssh-agent with passwords without spawning too many processes
Why does cisco IOS require domain-name to be set before SSH keys can be generated?
Setting the default ssh key location
Managing authorized_keys on a large number of hosts.
Inter-convertability of asymmetric key containers (eg: X.509, PGP, OpenSSH)
Which is the best way to bring a file from a remote host to local host over an SSH session?
Is it possible to forward ssh requests that come in over a certain port to another machine?
Can you have virtual users using an SFTP server?
Why does Vista complain about a dead process when I use Cygwin X11 ssh and how do I get it to shut up?
ssh hangs when command invoked directly, but exits cleanly when run interactive
Getting ssh to execute a command in the background on target machine
How do you use ssh in a shell script?
Avoid traffic shaping by using ssh on port 443
Alternative SSH Application to Plink
What are some good SSH Servers for windows?
Keep Remote Directory Up-to-date
Allow user to set up an SSH tunnel, but nothing else
How do I setup Public-Key Authentication?
Gtk SSH client for Linux?