[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Use IPSEC as SSH replacement




>My query about using some solution based on IPSEC to replace SSH,
>originates from a desire to demonstrate and do something *useful* with
>IPSEC as fast as possible, preferrably *NOW*. I was hoping some
>minimal effort IKE (or something) specification that would give
>at least the same as SSH, but using IPSEC architecture.

	I was thinking about using SSH's host key pair for IKE daemon,
	for some months.  Thinking about granurality of protection,
	I think it is not very good way.

	1. user A performs ssh session from host X to host Y.
	   This installs Y's public key into ~A/.ssh/known_hosts.
	2. user A performs ssh session from host Y to host X.
	   Now, X has Y's public key, Y has X's public key.
	3. kick IKE daemon for negotiating IPsec SA, by using /etc/ssh_host_key
	   and ~A/.ssh/known_hosts.
	In (1) and (2) ssh works as "public key distribution mechanism".
	Notice that there's almost no authentication other than "do you
	really want to perform ssh session to A (yes/no)" in (1) and (2).

	Any experiences are welcomed...

itojun


References: