Subject: Re: (long) Re: Authenticating with LDAP
To: NetBSD - Users <netbsd-users@netbsd.org>
From: Jim Breton <jamesb-netbsd@alongtheway.com>
List: netbsd-users
Date: 01/21/2003 01:48:51
On Mon, Jan 20, 2003 at 03:11:56PM -0500, Chuck Yerkes wrote:
> Setting up and breaking down SSL connections is very expensive.
> So using a "helper" daemon to maintain a connection is called
> for to alleviate this. Once we have this daemon caching
I opted to go with an ssh tunnel for a similar situation with SMTP.
Rather than use TLS/SSL, I set up an unprivileged user on the destination
host and set his shell to /sbin/nologin. On the client side, I call ssh
with the '-nNT' options and set "EscapeChar" to "none". The connection
stays open all the time, and I could compress it if I really wanted to
(over a slow link or whatever). And both server and client authentication
requirements are met.
Doesn't address the desire for caching of course, but may be suitable in
some other folks' environments.