[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] SSHv2 vs OpenVPN security

  • Subject: Re: [Openvpn-users] SSHv2 vs OpenVPN security
  • From: Mathias Sundman <mathias@xxxxxxxxxx>
  • Date: Tue, 28 Dec 2004 21:53:25 +0100 (CET)

On Tue, 28 Dec 2004, Charlie Hosner wrote:

Given that both SSH and OpenVPN is configured to only accept RSA keys for
authentication and strong encryption algoritms, is there anything in the
SSHv2 protocol making it less or more secure than the OpenVPN protocol?

I think you are asking about this from a crypto standpoint not necessarily an application standpoint. From a crypto standpoint, I would have to say they are equivalent if you use an equivalent algorithm combination. SSHv2 uses DHE-SHA1(HMAC) for key agreement, RSA for authentication, and whatever symmetric algorithm you want. It also swaps out session keys every hour for perfect forward secrecy, just like OpenVPN (adjustable with ReKeyIntervalSeconds). The handshakes are remarkably (right is right I guess) similar.

When you look at things from an application layer, it might not be quite
so simple.  You would need to run sshd as user/group nobody and chroot it
somewhere.  There is also the added security of TLS-auth that SSH
definitely doesn't have an equivalent to.

I know Mathias is quite familiar with the functionality differences
between SSH and OpenVPN, and he is probably asking this because he has
some clever scheme in mind, but to keep from confusing future readers,
SSHv2 is not going to provide you with the simple network
extension people usually seek in a VPN.  You would have to direct traffic
over the SSH tunnel via port forwarding or some other magic and it would
take a good amount of work to get the kind of set up OpenVPN gives you
"out of the box".  SSHv2 is good for doing things one port at a time,
especially if your one port is 22 ;)

Yes, you're right, I was only asking about this from a crypto standpoint. Me too prefer OpenVPN in most cases, but there are still some cases where SSH is preferable.

The reason I asked was because I have a customer who is setting up a disaster recovery solution for a Solaris server, and simply needed shell access and a way to transfer files to the off-site backup machine. One user and one server -- can't be much easier, so I suggested to use SSH.

However for some reason they did not accept SSH for securing this, but OpenVPN was okay. I clamed that SSH had the same level of security as both OpenVPN and IPSec (given it is correctly configured of cource), so I just wanted to make sure I was right about that...

I'm fine with setting up OpenVPN to, so it's no problem, the customer gets what they what, I just find it a little overkill to use OpenVPN in this scenario, which is exactly what SSH was designed todo, but policies are policies! If I would have called it ssh-VPN instead of just ssh it would probably have been aproved ;-) VPN are good, other protocols can't be trusted!

Cheers and Happy New Year from me to!

Mathias Sundman                  (^)   ASCII Ribbon Campaign
OpenVPN GUI for Windows           X    NO HTML/RTF in e-mail
http://www.nilings.se/openvpn    / \   NO Word docs in e-mail

Openvpn-users mailing list