sunhux
asked on
Caveats & common uses of ssh over public Internet
Q1:
What the caveats & risks of doing ssh over internet esp without
VPN? Isn't it quite safe as ssh is encrypted? Someone just told
me nobody practises ssh via public Internet
Q2:
What are the common uses of ssh over public Internet (with
keys exchange or password authentication)? Setting up an
ssh tunnel? or for psftp or pscp?
Q3:
I suppose instead of ssh, people uses https or ??
But with https, we'll need certificates while with ssh,
I don't need any
What the caveats & risks of doing ssh over internet esp without
VPN? Isn't it quite safe as ssh is encrypted? Someone just told
me nobody practises ssh via public Internet
Q2:
What are the common uses of ssh over public Internet (with
keys exchange or password authentication)? Setting up an
ssh tunnel? or for psftp or pscp?
Q3:
I suppose instead of ssh, people uses https or ??
But with https, we'll need certificates while with ssh,
I don't need any
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
in the interview. He's supposed to be a very experienced
security person.
As interview question, he asked me:
What are the mitigation measures I can put in place for
ssh in the event the sysadmin who supports the ssh
left the company.
I replied that we ought to put in place two factor (or multiple
factor authentication) such as ACE token (the little dongle/
card with changing numbers that staff ought to return to the
company when he leaves the employment) or use ssh with
password authentication & change the password when the
staff leaves.
He told me the best answer is "physical security" ie deny
the staff who left entry into the company's premises:
I told him what if the ssh is used over the internet & he
sneered: is there anyone who uses ssh over the public
internet?
I just realized he has taken me for a ride.
He also asked why is there a need to do regular vulnerability
scan? I replied there are new vulnerabilities being uncovered
& the scan tool will be updated. Besides, there are changes
to the systems (eg: sysadmin or apps team install new
things on the systems or make system changes) & the
interviewer replied : the most accurate answer is this is
to give the team sufficient time to address the vulnerabilities
before an actual audit took place: well everyone knows we
need time to fix the vulnerabilities.
That fellow just don't want an old person like me to join
his team ..... sad that in my culture here, discrimination
against aging people is rampant.