Aaron Sherman ajs@ajs.com
Wed Jan 29 06:56:26 PST 2003

On Mon, 2003-01-27 at 10:18, Wayne Earl wrote:
> On Sun, Jan 26, 2003 at 10:20:09AM -0500 or thereabouts, Shawn McMahon wrote:
> > ssh is your friend; these applications are not.  I'm assuming you
> > don't mean "point of sale".  :-)
> Oh really? I know of companies that have had dozens of compromises
> because of code screw ups with OpenSSH.
> Don't fall into the "it's secure because we use crypto" trap. This is
> almost as foolish as the "it's secure because the source is open"
> trap. Fact is, Sturgeon's Law applies to software as well - 90% of
> everything is crap.

I'm assuming that he was talking about port-forwarding via ssh, and
making the (correct) assertion that requiring key exchange along with
other methods (like packet filtering based on source IP) will improve
the state of your application security.

If someone has to be a) coming for your netblock and b) have your key
and c) is only allowed to run nothing (e.g. "-N") and is only allowed to
port forward to a pre-defined service (e.g. via a DMZed ssh proxy host)
you're a heck of a lot better off than you are by opening a port to the

Woefully, it would not help in this case. The service in question was
UDP-based. You would need a real VPN for that one, and that too is a
good option.

Aaron Sherman <ajs@ajs.com>
This message (c) 2003 by Aaron Sherman,
and granted to the Public Domain in 2023.
Fight the DMCA and copyright extension!

More information about the linux-elitists mailing list