Educause Security Discussion mailing list archives

Re: remote access for linux clients

From: Jim Cheetham <jim.cheetham () OTAGO AC NZ>
Date: Fri, 30 Sep 2011 09:54:00 +1300

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 30/09/11 05:33, Entwistle, Bruce wrote:

We are currently looking into options for connecting remote linux
users to servers located on our internal network.


Depending on what sort of access is required, ssh may be adequate. But
you have to worry about questions regarding the usernames you will use
(should they be the same as internal ones?), the authentication (using
ssh keys or passwords, requiring 2 factor auth, should the password
come from an internal directory, should they be the same as internal
passwords, etc), and the restrictions placed on the ssh connections
(should they all come to a single audited login host, do you allow
authentication forwarding, can you stop forward or reverse tunnels
being created).

However ...

We currently use a Cisco ASA for VPN connections for our windows
and MAC users, but the last version of a linux client was released
over three years ago. So there doesn't look to be much support in
this area.


I think it is more a case that the vpnc software and the protocol are
both stable. The upstream package development is quiet
(http://www.unix-ag.uni-kl.de/~massar/vpnc/ suggests Nov 2008 as the
last update), and this is the Debian stable version
(http://packages.debian.org/stable/net/vpnc). Note that Debian at
least are addressing some issues in the codebase
(http://packages.debian.org/changelogs/pool/main/v/vpnc/vpnc_0.5.3r449-2.1/changelog)

This way, remote users from Linux clients are coming through the same
security controls as other remote users, subject to the same policies.

I would recommend supporting connectivity to the Cisco, and suggest
the vpnc software.
- -- 
Jim Cheetham, Information Security, University of Otago, Dunedin, N.Z.
✉ jim.cheetham () otago ac nz          ☏ +64 3 470 4670 ☏ m +64 21 227 0015
⚷ OpenPGP: B50F BE3B D49B 3A8A 9CC3 8966 9374 82CD C982 0605
✔ NZ BeSTGRID RAO                   ✔ CAcert.org Assurer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6E2uQACgkQk3SCzcmCBgUdcwCfb0IVrM5he1BuikgMolPiVC9S
3VsAn2oCQynHRwB872+SswWabmkOwAgK
=+jEZ
-----END PGP SIGNATURE-----

Current thread:

remote access for linux clients Entwistle, Bruce (Sep 29)
- Re: remote access for linux clients Bradley, Stephen W. Mr. (Sep 29)
- Re: remote access for linux clients Matthew Gracie (Sep 29)
  - Re: remote access for linux clients John Zimmerman (Sep 29)
  - Re: remote access for linux clients Valdis Kletnieks (Sep 29)
- Re: remote access for linux clients King, Ronald A. (Sep 29)
- Re: remote access for linux clients Jim Cheetham (Sep 29)