Subject: Re: Persistent tunnel
To: Stephen Borrill <netbsd@precedence.co.uk>
From: Steven M. Bellovin <smb@cs.columbia.edu>
List: netbsd-users
Date: 12/15/2006 12:31:53
On Fri, 15 Dec 2006 16:54:58 +0000 (GMT)
Stephen Borrill <netbsd@precedence.co.uk> wrote:

> On Fri, 15 Dec 2006, Steven M. Bellovin wrote:
> >>    I read up a bit on stunnel, and it seems a little messy,
> >> requiring you to deal with SSL certificates for authentication.
> >> (But I could be wrong.)
> >>
> >
> > I use stunnel to handle email tunneling.  I used to use ssh, but as
> > noted ssh sessions sometimes end.  (My particular case was in
> > hotels, where the @#$%^ NATs would time out, leaving email piling
> > up on my machine without warning.)
> >
> > Stunnel sets up sessions on demand.  As best I recall, it does not
> > have a persistent session option.  Of course, on-demand setup was
> > perfect for my needs.
> >
> > There is indeed overhead for learning how to use the certificates.
> > Briefly -- and Google for "openssl how-to" for details -- you need
> > to create your own CA certificate, then create client and server
> > certificates.  These can be shared among the different services, I
> > might add.  It's at least as annoying figuring out how to configure
> > stunnel to use these things....
> 
> And you'd have to learn the same for one of the mooted alternatives,
> OpenVPN (which would be my recommend solution). You can use password
> authentication with OpenVPN now, but it's more susceptible to attack.
> 
Actually, for this purpose I don't think that passwords are an issue.
Run /dev/urandom into md5, or install security/apg, or flip coins.
However it's done, you'll end up with a long, meaningless, unguessable
password that's just going to sit in a read-protected configuration file
somewhere. It's not as if someone has to memorize and type it.  The
incremental risk comes from having it on two machines instead of one,
which is what you'd do with a private key for a certificate. 


		--Steve Bellovin, http://www.cs.columbia.edu/~smb