[itaifrenkel]

SSH does not cover all use cases.

One example if you have an internal web service, how would you restrict access only to employees (without having it open to the internet?). SSO is not enough since you want the ports closed to non employees.

Another example is accessing a database that is not configured with SSL. You don't want your info travelling in plaintext on the internet.

[jlgaddis]

I work remotely. SSH is exactly what I use to access our internal-only (web) services.

[itaifrenkel]

Do you use ssh as a socks proxy?

[jlgaddis]

Yes. Typically:

  $ ssh -D 8888 <bastion host>

I have a Firefox add-on that makes it very easy to switch the proxy settings on and off.

[itaifrenkel]

And do you find that non-techies can also handle this? Also, I think this won't cover DNS changes that a vpn client does

[jankedeen]

ssh covers both of these cases.

[itaifrenkel]

There is another issue, that US citizens ussually do not encounter. When you setup a VPN on amazon, for example, you would like only some of the traffic (intranet) to go through that VPN (or SSH socks proxy). The rest of the traffic should go directly to the internet. The reason being is that the roundtrip is too costly.

I am not sure configuring these settings are trivial, and VPN clients provide that out-of-the-box.

[itaifrenkel]

Same question. Do you refer to using SSH and socks proxy. If so, is that a viable solution, in your experience, with less techy employees?

[BillinghamJ]

Less techy employees shouldn't be on any private/internal networks. Just give them an HTTPS web panel to work on authenticated by the SSO system.

[itaifrenkel]

SSO is not enough. In secure systems you are ussually required to provide both network access, and applicative access restrictions

[jankedeen]

It would be utterly transparent. Please don't be ignorant.