On 20/3/24 13:32, to...@tuxteam.de wrote:
How will a "VPN" with a "certificate" (whatever that means in this > context) be more secure than a SSH (assuming key pair
authentication, > not password)? > > They are doing the same dance (key
exchange, key pair validation, > session key establishment) -- the
"certificate" part is just a step > further (and, BTW, SSH can do that,
too), which just eases key > management (at the expense of security: you
have but one more moving > part). > > The "port" thing stays the same:
the VPN server uses a TCP > connection, too. > > Moving the port to a
non-standard number, using fail2ban, firewall > knocking and those
things don't increase security *directly* -- they > just remove noise
from the logs, which eases the admin's task and > thus increase security
indirectly.
Benefits of running VPN rather that VPN + SSH or even just SSH:
- VPN only has only one 'hole' in the firewall.
- Providing VPN ingress through or to your firewall is a different
security model to hosting a ssh server on your firewall.
- Accessing an internal host using SSH from an internal machine is yet
another security model.
- A SSH server exposed to public will have less ability to detect and
counter serious probes compared to a VPN server
If you go for the arrangement I use, you need have only one security
mechanism for all internal ssh servers and that mechanism will also
defend in the event the firewall is breached.
Then in isolation you can develop a security strategy for your public
facing VPN ports as well as firewall configuration to mitigate any breach.
Regarding certificates, I issue VPN certificates to be installed on each
remote device. I don't use public key.
For ssh use I issue secret keys to each user and maintain matching
public keys in LDAP servers. SSHD servers can get the public keys in
real time by using the AuthorizedKeysCommand. If a secret key is
compromised I simply remove the matching public key.
[users are locked out from uploading their public key using ssh-copy-id]