[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] SSHv2 vs OpenVPN security

  • Subject: Re: [Openvpn-users] SSHv2 vs OpenVPN security
  • From: Charlie Hosner <chosner@xxxxxxxxx>
  • Date: Tue, 28 Dec 2004 09:39:02 -0500 (EST)

I think you are asking about this from a crypto standpoint not
necessarily an application standpoint.  From a crypto standpoint, I would
have to say they are equivalent if you use an equivalent algorithm
combination.  SSHv2 uses DHE-SHA1(HMAC) for key
agreement, RSA for authentication, and whatever symmetric algorithm you
want.  It also swaps out session keys every hour for perfect forward
secrecy, just like OpenVPN (adjustable with ReKeyIntervalSeconds).  The
handshakes are remarkably (right is right I guess) similar.

When you look at things from an application layer, it might not be quite
so simple.  You would need to run sshd as user/group nobody and chroot it
somewhere.  There is also the added security of TLS-auth that SSH
definitely doesn't have an equivalent to.

I know Mathias is quite familiar with the functionality differences
between SSH and OpenVPN, and he is probably asking this because he has
some clever scheme in mind, but to keep from confusing future readers,
SSHv2 is not going to provide you with the simple network
extension people usually seek in a VPN.  You would have to direct traffic
over the SSH tunnel via port forwarding or some other magic and it would
take a good amount of work to get the kind of set up OpenVPN gives you
"out of the box".  SSHv2 is good for doing things one port at a time,
especially if your one port is 22 ;)

Happy New Year all!!


On Tue, 28 Dec 2004, Mathias Sundman wrote:

> Hi list,
> Given that both SSH and OpenVPN is configured to only accept RSA keys for
> authentication and strong encryption algoritms, is there anything in the
> SSHv2 protocol making it less or more secure than the OpenVPN protocol?
> /Mathias
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://productguide.itmanagersjournal.com/
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users

Openvpn-users mailing list