Hi, On Mon, 17 Sep 2007 12:56:16 -0300 "Arturo 'Buanzo' Busleiman" <[EMAIL PROTECTED]> wrote:
> > So I would definately prefer to always have a guaranteed working > > sshd running (I find OpenVPN/telnet a bit strange and an unnecessary > > potential security hole). > > If running permanently, then I agree, but I do not see the potential > security hole if using a correctly designed/configured tunnel. I just prefer manual "opening" of access means above manual "securing" them. It's just about what happens if you fail -- when the task was securing, you might have a security leak, but if it was openiung access, it is still secured. It's relatively moot, since opening access is also often error prone in the sense of "opening to much". I think it's personal taste :-) > > session. So you have to weight the risks. The real problem, however, > > can only be overcome by another way to login. Firing up another > > instance of sshd (on a different port) is just a matter of one > > simple command, so I definately prefer that. > > As long as there is no issue with the sshd binary, of course :) Yeah, but in that case you'd know it at that point, and it caused no other harm than preventing you to setting up that fallback sshd. You can then still fix it (or set up OpenVPN/telnet ;-)) using the old sshd that's still listening. Just remember not to do a "killall sshd". -hwh -- [EMAIL PROTECTED] mailing list
