Ssh / VPN access from dynamic IPs / while traveling. knockd or dynDNS based authentication?

Question

Ssh / VPN access from dynamic IPs / while traveling. knockd or dynDNS based authentication?

What are the advantages and disadvantages of using knockd versus using dynamic DNS authentication to log into ssh or VPN from a dynamic IP or while traveling (like some random hotel IP)? Ideally, any device with ssh / VPN client capabilities should be able to use any additional client software.

(An alternative that supports opening ssh / VPN ports for everyone is not very attractive.)

I tend to advocate for knockout (or other demons to detonate a port) because he doesn't rely on the outside, keeping his stuff uncompromising ...

-1

ssh sysadmin openvpn knockd

mjy 04 jan. 09 at 14:21

source to share

4 answers

Mikeage · Answer 1 · 2009-01-05T12:59:51+0000

Are you really afraid that your SSH port is open? What will happen?

You have denied root access, you have installed something like BFD or denyhosts, you are only using public key authentication ... do you really think this is not secure?

Adding something like knockd is, IMHO, it will probably lead to a false sense of security.

bortzmeyer · Answer 2 · 2009-01-05T12:23:13+0000

Well, if you are not using DNSSEC, DNS based authentication is a pretty bad idea. DNS is not secure and service providers often use DNS.

gnud · Answer 3 · 2009-01-05T12:29:59+0000

I myself use ssh on a non-standard port, only accepting usernames with keyfiles.

When I ran ssh on port 22, there were many dictionary attacks, but they all used the root user (who was not allowed to log into ssh anyway).

MatthieuP · Answer 4 · 2009-01-05T13:06:39+0000

Even if you leave the SSH port closed, you can leave the openvpn port open (and let openssh only listen on the vpn interface).

Ssh / VPN access from dynamic IPs / while traveling. knockd or dynDNS based authentication?

More articles: