[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Use IPSEC as SSH replacement
>My query about using some solution based on IPSEC to replace SSH,
>originates from a desire to demonstrate and do something *useful* with
>IPSEC as fast as possible, preferrably *NOW*. I was hoping some
>minimal effort IKE (or something) specification that would give
>at least the same as SSH, but using IPSEC architecture.
I was thinking about using SSH's host key pair for IKE daemon,
for some months. Thinking about granurality of protection,
I think it is not very good way.
1. user A performs ssh session from host X to host Y.
This installs Y's public key into ~A/.ssh/known_hosts.
2. user A performs ssh session from host Y to host X.
Now, X has Y's public key, Y has X's public key.
3. kick IKE daemon for negotiating IPsec SA, by using /etc/ssh_host_key
and ~A/.ssh/known_hosts.
In (1) and (2) ssh works as "public key distribution mechanism".
Notice that there's almost no authentication other than "do you
really want to perform ssh session to A (yes/no)" in (1) and (2).
Any experiences are welcomed...
itojun
References: