Nate Thanks. This is all good info. From what you've said I'm sure stunnel is easier and better for this little job. My only hesitation in using all these handy little lesser known tools is whether they have the same auditing/inspection of their source code like openssh does. OpenSSH is very widely used and many people analyze the code for defects daily. It is widely trusted and from a reputable source (OpenBSD guys). It would be safe and useful to invest my time in openssh since it will be around forever.... I don't know about stunnel though. Then again what do I know?... Chris P.S. I'm still surprised syslog-ng has no docs on remote logging and even docs for using syslog-ng with ssh or stunnel are hard to come by. On Tue, Jan 28, 2003 at 01:05:48PM -0800, Nate Campi wrote:

On Tue, Jan 28, 2003 at 11:57:14AM -0800, Nate Campi wrote:

...

The right place to start is with your (openssh) authorized_keys file having settings like this:

no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-dss AAAAB3N... syslog-ng@remotehost "logging account only"

Haha, I crack myself up. I actually put in "no-port-forwarding" when answering a post about using ssh for just such a purpose. What a dufus.

Anyways, the rest of what I said still applies. :)

HINT: if you use ssh and want it to reconnect, set it up under daemontools <URL:http://cr.yp.to/daemontools.html> so that when it dies it starts right back up, and the output is properly logged with multilog (assuming you set up logging, which you should). Also look into forced commands if you want better security. You won't be forwarding straight into syslog-ng, but you'll rest better knowing you're doing as much as you can to prevent misuse of this account.

Did I mention that stunnel makes it so you don't need to worry about all this? -- Nate Campi http://www.campin.net

Without C, We would only have Pasal, Basi, and obol

_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html

-- _______________________________________ Dr. Christian Seberino SPAWAR Systems Center San Diego Code 2872 San Diego, CA 92152-6147 U.S.A. Phone: (619) 553-9973 Fax: Email: seberino@spawar.navy.mil _______________________________________

Even if openssh itself has no security holes, that's not the point. The points I brought up were concerned with misuse of the shell access openssh grants. THAT's what I'd be scared about if I were you.

This is only an issue if you don't take the time to setup the tunnel properly. Use a non-root account created only for the purpose of tunnels (with a locked password and a bogus shell), setup the authorized_keys file with command="/bin/false" so they CAN'T run any commands, and then use the -N flag to ssh to not execute a remote command when you setup the tunnels. We use reverse tunnels all over the place at work for logging and other stuff that needs to pass back through the firewall from the DMZ networks. A secure server inside the wall opens an SSH connection to the DMZ server, then forwards a port back through the tunnel to the server. The DMZ server never has to know anything about the secure server, nor be able to connect to it directly. This opens a small security hole in that if the DMZ host is compromised the bad guys have a single port they can access into the internal network, but we mitigate that risk by running syslog-ng on the secure server non-root and chrooted. *b -- People who are willing to rely on the government to keep them safe are pretty much standing on Darwin's mat, pounding on the door, screaming, "Take me, take me!"