| gabriel rosenkoetter on Wed, 3 Jul 2002 03:33:19 -0400 |
|
On Tue, Jul 02, 2002 at 10:58:20PM -0400, Jesse Schultz wrote: > gabriel rosenkoetter wrote: > >I could easily expand on the SSH PKI rant I've been on today, if > >people want to hear it > I do. Well, if we've got the time, I'm glad to run through how my own set up works and what the various pitfalls of using PKI with SSH are. Sounds like we've got a pretty interesting topic this meeting, so maybe I'll pull this together with some other crypto-related stuff and talk about it later in the year. Maybe MCT and I could talk about CipherSaber. ;^> > Even though I pulled us into a tangent on the su thing, I would be > interested in using certificates with SSH. Also with POP3 if you know > anything about that. Well, POP3 has no internal encryption methods. You can talk POP3 over an SSL-encrypted channel (and you can call it POP3S if you like it, but you're in a state of sin when you do ;^>), and you can even do that, I'm told, when talking to a Microsoft Exchange server, though I haven't gotten my hands on my employer's yet to try. Some MTAs make it easier to hook into this than others. Probably the easiest way to graft it onto an existing MTA without recompilation or (more than trival) reconfiguration is stunnel[1]. A more complicated, though in the long run cheaper, in terms of maintenance, and more truly secure[2] route would be IPSec. Don't try that on Linux right now unless you want to learn a whole lot about the internals of FreeSWAN. (I'd be glad to be corrected and told that FreeSWAN is easy these days and actually does all of IPSec, but I think I'd have heard a lot more noise about it by now if that were the case). > I like rants :-) Heh. [1] http://www.stunnel.org/ [2] IPSec buys you authentication and rekeying, with stunnel you must trust the remote end of the socket to stay trustworthy, which isn't necessarily a safe thing to do. -- gabriel rosenkoetter gr@eclipsed.net Attachment:
pgp7ysvhZxuXG.pgp
|
|