Deploying a VPN with PKI (O'ReillyNet)

Deploying a VPN with PKI (O'ReillyNet)

Posted Oct 22, 2004 20:25 UTC (Fri) by NightMonkey (subscriber, #23051)
Parent article: Deploying a VPN with PKI (O'ReillyNet)

OK, I admit it. I skimmed this article. But I must point out, that for many smaller networks (and maybe a few big ones), there is no need to make things so complicated to have a sensible amount of security for remote connections. Presenting...

ssh -D <SSHhost> &

This creates a SOCKS Proxy server (at localhost:1080) which communicates over the SSH channel. I've used it to secure browsing, e-mail and many other services. And, if you install Dante SOCKS Proxy Server, you get the command "socksify". This allows you to proxy many programs that don't have native SOCKS code, and can be used with any proxy server (not just Dante).

After setting up the ssh SOCKS proxy, you'd use socksify like so:

socksify emerge sync (Gentoo Portage sync proxying)
socksify lynx http://www.lwn.net/ (lynx has socks support, but you get the idea)

Seems a lot easier to me than all that SSL complexity. Yes, you can change your SSH keys every day or every hour if you want the additional "job security". You can change your users passwords often, too (if you are allowing passphrase logins via SSH). You can also restrict SSH shell access. It's all there... I just wonder why more people and organizations don't use it. Is there something I'm missing in this model? Besides unnecessary overhead?

---

(Log in to post comments)