Craig Box wrote:
<> To me, the advantage of SSH is I know I can connect into the machines from anywhere in the world. I'm happy to, if necessary, mess with keys to get this level of access, but I'm not happy to say "I can only connect from this netblock and these two other IPs."
I guess that really comes down how you want to administer your box , and basically what turns you on at the end of the day. I certainly feel more comfortable with the idea of not opening ssh access to the world.
<>When you consider the proliferation of SSL VPN technology (such as OpenVPN) these days, why is a VPN any different to SSH itself? They are both SSL encrypted connections. Running telnet over a SSL VPN sounds exactly like using SSH to me. Why add extra complexity?
Good point... I was thinking more along the lines of IPSec, GRE,... rather than SSL VPNs. Basically running an SSH connection over the VPN connection, I do this quite often. Yeah, it is more complex, but at the end of the day, by doing this, somebody has got to hack into the router/firewall/vpn concentrator, and then hack into the host. That's why I suggested using a dedicated FW Appliance in front of the host.