[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] SSHv2 vs OpenVPN security

  • Subject: Re: [Openvpn-users] SSHv2 vs OpenVPN security
  • From: Leonard Isham <leonard.isham@xxxxxxxxx>
  • Date: Tue, 28 Dec 2004 09:52:25 -0500

On Tue, 28 Dec 2004 09:39:02 -0500 (EST), Charlie Hosner
<chosner@xxxxxxxxx> wrote:
> I think you are asking about this from a crypto standpoint not
> necessarily an application standpoint.  From a crypto standpoint, I would
> have to say they are equivalent if you use an equivalent algorithm
> combination.  SSHv2 uses DHE-SHA1(HMAC) for key
> agreement, RSA for authentication, and whatever symmetric algorithm you
> want.  It also swaps out session keys every hour for perfect forward
> secrecy, just like OpenVPN (adjustable with ReKeyIntervalSeconds).  The
> handshakes are remarkably (right is right I guess) similar.
> When you look at things from an application layer, it might not be quite
> so simple.  You would need to run sshd as user/group nobody and chroot it
> somewhere.  There is also the added security of TLS-auth that SSH
> definitely doesn't have an equivalent to.
> I know Mathias is quite familiar with the functionality differences
> between SSH and OpenVPN, and he is probably asking this because he has
> some clever scheme in mind, but to keep from confusing future readers,
> SSHv2 is not going to provide you with the simple network
> extension people usually seek in a VPN.  You would have to direct traffic
> over the SSH tunnel via port forwarding or some other magic and it would
> take a good amount of work to get the kind of set up OpenVPN gives you
> "out of the box".  SSHv2 is good for doing things one port at a time,
> especially if your one port is 22 ;)
> Happy New Year all!!
> Charlie
> On Tue, 28 Dec 2004, Mathias Sundman wrote:
> > Hi list,
> >
> > Given that both SSH and OpenVPN is configured to only accept RSA keys for
> > authentication and strong encryption algoritms, is there anything in the
> > SSHv2 protocol making it less or more secure than the OpenVPN protocol?
> >
> > /Mathias
> >

Something that may be significant 3SP (www.3sp.com) which makes a Java
VNC Client that integrates ssh for security has a new product out that
is a SSL based VPN.  At least that is what they say I have not had a
chance to look under the covers and see what exactly it does.  I've
been too happy with James and OpenVPN.

Leonard Isham, CISSP 
Ostendo non ostento.

Openvpn-users mailing list