Re: ssh tunnelling

[Giuseppe Lo Biondo <Giuseppe.LoBiondo@mi.infn.it>]

On Wed, 23 Aug 2000, Ramiro Brito Willmersdorf wrote:
> 
> Hello,
> 
> I just read Giuseppe's recently posted instructions and found them to be
> excellent. 

thanks! 

(The document is at:
http://www.mi.infn.it/~lobiondo/ldapnis.pdf
I'm still working on it and comments and suggestions are welcome.)

> He suggests using stunnel for secure communications between the
> clients and the server. Is there any problem or serious difficulty in doing the
> same thing using ssh port forwarding?

I've used SSL because many LDAP client application (including the pam and 
nss libraries) do use SSL. I don't think that it is worth using SSH since 
both client and server application must be wrapped. 

Anyway, OpenLDAP 2.0  has TSL/SSL support so you don't need to use no
wrappers at all.

> I already have ssh installed in the network I intend to deploy LDAP
> authentication, and it is working very well and it is something I think
> understand.  Everytime I read about using SSL, my eyes cross...
> Setting up a certification authority seems to me way too much trouble
> for such a simple application.

Using a self signed certificate gives you the same level of confidence of
SSH. You do not need to have a CA.

Users can still use SSH and do not need to have a cert., the certificate
is needed only in the communication between the server and the libraries.

Bye,
Giuseppe

> This seems very obvious to me, but I don't recollect anybody else suggesting
> it, so there must be some issue I'm missing.
 
> Many thanks,
> -- 
> Ramiro Brito Willmersdorf            rbw@demec.ufpe.br  
> GPG key: http://www.demec.ufpe.br/~rbw/GPG/gpg_key.txt
>