-----BEGIN PGP SIGNED MESSAGE-----
H>>>>> "J" == J P M van der Jagt <jeanpaul @
dutepp0 .
et .
tudelft .
nl> writes:
J> And I was thinking, maybe it's better not to record a hostname
J> (either short of FQDN) in the known_hosts, but a numerical
J> IP-address instead. sshd then should not do a reverse mapping
One reason to use the names given (and *not* FQDN) is that one may
want to pass these names through the SSH channel in a future protocol
because we'll want to do:
J> B.t.w. do happen to know of a proxy server (or plug-gateway)
J> for ssh which can be used with the FWTK?
For incoming connections? I know of none.
For outgoing connections, you either want a transparent proxy
(e.g. Gauntlet rather than FWTK), or you want a sockified SSH client.
For incoming connections, I see two problems:
a. how do you specify the final destination? This is where it
might better to pass hostnames. Externally they could be
CNAME's for the gateway, but the proxy server could use them
to specify the final destination.
b. the client currently decides what authentications to do.
I'd like to have the client offer "server controlled
authentications".
That would let the proxy server challenge the client, then
plug to internal node, and then the internal node would
challenge again. The type of each challenge could be very
different. (SecurId/CryptoCard/etc.. at firewall, RSA key
internally, or other combinations)
:!mcr!: | Network security consulting and
Michael Richardson | contract programming
WWW: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html";>mcr @
sandelman .
ottawa .
on .
ca</A>. PGP key available.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
iQBVAwUBMsLus9TTll4efmtZAQEd/QH+JWeeXwtiQ+kiQUEYrCN4eHhZlv8b1rqH
/92tsl4tpjS06m7EPELEJTJnCNIIy3bKzCRdMHCUPBvvNkn2nvUPwA==
=3uJw
-----END PGP SIGNATURE-----
|
|
