On 2024-01-20 10:14, Peter King via talk wrote:
Just recently I was told that the University would not allow me to ssh in to my office computer "because ssh had to be protected from the internet" (!), and instead I was supposed to use some binary blob to create a VPN into the UofT network -- and how having one point of entry into the whole system, trusted internally, "improves" security over a single ssh connection to a single computer, I could not tell you (and neither can they). But it's policy, so that ends discussion.
In a customer long long ago, we had a similar rule imposed. It turned out the right person to talk to was in-house counsel, as by pure happenstance my concern was that I would be blamed when (not if) the known-buggy product let someone pretend to be me. That was right up his ally, and about a year later, we settled on ssh with certificates. --dave -- David Collier-Brown, | Always do right. This will gratify System Programmer and Author | some people and astonish the rest dave.collier-brown@indexexchange.com | -- Mark Twain CONFIDENTIALITY NOTICE AND DISCLAIMER : This telecommunication, including any and all attachments, contains confidential information intended only for the person(s) to whom it is addressed. Any dissemination, distribution, copying or disclosure is strictly prohibited and is not a waiver of confidentiality. If you have received this telecommunication in error, please notify the sender immediately by return electronic mail and delete the message from your inbox and deleted items folders. This telecommunication does not constitute an express or implied agreement to conduct transactions by electronic means, nor does it constitute a contract offer, a contract amendment or an acceptance of a contract offer. Contract terms contained in this telecommunication are subject to legal review and the completion of formal documentation and are not binding until same is confirmed in writing and has been signed by an authorized signatory.