[pptp-server] remote administration (keywords: ADSL,PPTP through PPTP,Telnet,FTP)

[Charles Duffy]

On Fri, Jun 23, 2000 at 03:21:57PM +0200, Ivo Truxa wrote:
> I want to use PPTP to securely administrate a dedicated Linux web server
> from my NT machine over the Internet. My questions:
> 
> 1. I hope I understood well that once I build the tunnel between the remote
> machine and me, all the communication runs encrypted (presuming MPPE having
> installed on both ends). Is that correct, or is there any way some
> connections to the remote machine could escape from the tunnel?

Barring any bugs (and none are known and likely to be causing this),
everything should be encrypted unless MPPE fails.

It is advisable that you install the MPPE-only patch to prevent this
from happening; my understanding is that it will terminate a session
rather than allow it to go unencrypted.

> 2. Strangely I have not seen using Telnet through PPTP mentioned anywhere as
> a secure alternative to SSLTelnet, SSH and other secure shells. Is there any
> problem in using Telnet trough a PPTP or is there some better alternative?

The only "problem" is that it's not as versitile -- with SSH, your
connection is encrypted as far as wherever you're connecting to. With
telnet over PPTP, it's only encrypted as far as the PPTP server.

Also, SSH has (particularly in RSA key mode) far better crypto than
MPPE provides (see Counterpane's analysis).

> 3. Same for FTP. Well, I understand that installing Samba would be probably
> better alternative, but would FTP through PPTP still work fine (and secure)?
> I suppose there should be no problem, but would like to have it confirmed.

Yes, it would work -- but MPPE's security still leaves something to
be desired. I strongly reccomend SCP (the file-copying counterpart to
SSH).

> 4. I am connected to the Internet through a VPN (also PPTP). I use ADSL
> modem that connects me to the network of my national telecom. Through a
> tunnel (PPTP) in their network I am connected to my ISP. How the connection
> to my remote web server would be made? (My remote web server is outside of
> the national telecom network). It seems to me that I would need to build a
> second tunnel (to my server) inside of the tunnel to my ISP (and to the
> Internet). Is it possible at all?

Yes, you can nest tunnels. As long as your routing to the target of
the second target goes through the first (ie. your first tunnel is
correctly configured), the second one should go through it without any
special configuration.

> 5. Has anybody experience with a remote installation of PoPToP incl.
> MSCHAPv2/MPPE? Are there any risks I should be especially aware of, or
> things to check before I start? Or can it be done only locally and I should
> ask my IHP to install it for me?

Any time you're loading kernel modules, you're putting the system at a
slight risk. As long as you compile against the same kernel version as
is on the remote machine, though, or compile on the remote machine,
you should be fine.

Really, though, it's probably better security-wise to use SSH/SCP if
you have the choice. PuTTY/PSCP are a pair of high quality, free SSH
and SCP clients for Windows; you might want to consider giving them a
try. (Also, if you have a low-bandwidth connection and turn on SSH's
compression, you may get better performance).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <http://lists.schulte.org/mailman/private/pptp-server/attachments/20000623/17db99bc/attachment.bin>