DComTalk.com

I'm setting up a network with a private network and a DMZ. I want to be
able to access machines in the private network via SSH from the
Internet. Should I put the SSH server on a machine on the private
network or on a machine in the DMZ?

I'm thinking the DMZ because then I'll need to SSH from there to the
private network and so will any attacker and breaking two SSH links is
more difficult than breaking only one if I SSH directly into the
private network from the Internet.

Is my reasoning sound, or should I put the Internet-visible SSH server
on the private network?

I'm setting up a network with a private network and a DMZ. I want to be
able to access machines in the private network via SSH from the
Internet. Should I put the SSH server on a machine on the private
network or on a machine in the DMZ?

You could SSH the firewall implementation between DMZ and private zone,
and from there into the private zone. Usually, you should control, from
where those ssh requests come, too.

I'm thinking the DMZ because then I'll need to SSH from there to the
private network and so will any attacker and breaking two SSH links is
more difficult than breaking only one if I SSH directly into the
private network from the Internet.

Yes. Especially, if you're only using PSK, i.e. DSA, and your both
SSH implementations are different programs, so an exploit in one of
them does not lead to making your private network unsecure.

Yours,
VB.
--
"Ich bin ein freier Mensch und werde jetzt von meinen Freiheitsrechten
Gebrauch machen - und zwar ausgiebig - natürlich nur in dem Rahmen, den
Otto Schily mir noch zur Verfügung stellt."
Wolfgang Clement am 10.10.05 als Noch-Superminister