Hi, all,

This question was last asked in 2003, so I figure it's okay to ask it again in 2007, especially WRT ssh -2.

Is SSH, especially SSH -2, as secure or more secure than a Cicso-supplied VPN connection?

My home computer runs Debian Sarge kernel 2.6. I can connect to my school's server via either SSH -2 or VPN. The school only has documentation about VPN, not SSH, for off-campus access in Windows, Linux and Mac. They have no liveware support for Linux at all, although the IT department and various schools are very heavy Linux users. Unless you're on staff in that particular department, there is zippo support, nada, none-at-all for Linux.

I was under the impression that VPN was the most secure access, so went for this off-campus. My trial-and-error setup let to something that's probably unnessarily convoluted: I'll start up and connect to the schools server over VPN, then login using ssh -2 over that connection. My old Linksys router couldn't handle VPN's MTU and couldn't be reset. My current (also old) Motorola Surfboard cable modem has problems with IPv6 over IPv4 tunneling.

I'd love to drop the VPN connection entirely for Linux and just use the SSH protocols (is that the right word?). None of the routers or modems I've used seem to have problems with SSH. Would this make my home computer less secure?

Any information, answers or best guesses greatly appreciated.

Lexia

Either ssh or VPN can be more secure, it is a question of how things are configured. Both ssh and VPNs tend to use many of the same encryption techniques. What is the most secure is doing both, as you say you already are. That way, to the public internet, they would have to get through the VPN encryption on the outside, then the ssh encryption on the inside of that. It also protects you from malicious users within you campus network or connected on the VPN, because even though they can appear as LAN computers through the use of the VPN, your communications would still have the ssh encryption to the server you ssh into.

Much of this is out of your control. You don't set the VPN security, and unless you have root level access to the box you are using ssh to reach, you can't control what encryption the ssh daemon running on it uses. You seem pissed about the support thing. It is entirely possible that the machine you are using ssh to reach through the VPN is not accessible through ssh alone. It may be that this box requires you to reach it only through a LAN address (which requires VPN), or it may have ssh running on a non-standard port if you connect through the WAN. There are many things that factor into this, and we can only give guesses as to what may be happening.

Neither the VPN nor ssh has any impact on your home computer's security, unless the VPN forces all internet traffic through a tunnel onto the school network. You are just a client. Using ssh or VPN client software doesn't open service ports that are otherwise closed. There are worlds of difference between using ssh to connect to another computer, and running sshd. What you asked is roughly equivalent to saying, "is it more secure to look at google.com or yahoo.com?" A VPN that forces all internet bound traffic through a tunnel would make your machine more secure, but any time you aren't running the VPN client, you are only as secure as your connection allows you to be.

Without hard info about what encryption the VPN or ssh is using, we can't compare and contrast. Using both is likely to be the most secure.

Peace,
JimBass