On Sat, Mar 22, 2014 at 10:40:50AM +0000, mick wrote:
On Sat, 22 Mar 2014 00:59:49 +0000 Neil Sedger alug@moley.org.uk allegedly wrote:
If you don't need to access your remote machine then no you don't need a VPN. I use it rather than ssh because there's no need to tunnel ports, so e.g. my phone can easily see my samba shares, mediaserver, VNC desktops, access my smtp server... It can be done with ssh tunnelling but it's a bit more fiddly.
Intriguing. So you clearly trust your certificates to your 'phone (android or iOS?). Do you encrypt your 'phone? Are you sure that no app can lift your certificates? Do you use a passphrase with your certificates? And is that passphrase stored by your 'phone?
That's always been my fear with public-key security, it would be only too easy to leave lap-top, tablet, phone set up to connect (e.g. pass phrase in ssh-agent) and thus allow someone else access.
I do use public-key but only for outgoing connections from my desktop machine to [relatively] unimportant systems out there on the internet, having the pass phrase the same as my login password means it's all passwordless once I've logged in to my desktop.
For incoming connections (ssh) to my desktop I use password authentication but only allow it from two specified IP addresses which are hosting accounts with ssh access. So to connect from some remote location I ssh to my hosting account and then ssh from there to my desktop.