Ask HN: Is Connecting via SSH Risky?
I have been managing websites for a while and usually utilize SSH connections to login to, deploy code to, and otherwise remotely access the hosting servers.
I was recently informed that a client I work with considers that a legal risk.
If the SSH connection is set to disallow passwords and only authorize via SSH keys, how big of a risk is this?
16 comments
[ 3.2 ms ] story [ 37.6 ms ] threadIf you must, you'd typically use a bastion host that's configured just for the purpose of handing inbound SSH connections, and is locked down to a maximal degree. It then routes SSH traffic to your other machines internally.
I'd argue that model is outdated though, and the prevailing preference is putting SSH behind the firewall on internal networks. Think Wireguard, Tailscale, service meshes, and so on.
With AWS, restricting SSH ports via security groups to just your IP is simple and goes a long way.
Treat it as a teaching moment for them
There’s also the risk of a zero day RCE vulnerability in ssh (though I’ve not seen one in the 20 years I’ve been paying attention )
I tend to not expose ssh to the world and log in with some other method to pass the perimeter (VPN, IP whitelist, tailscale) and the ssh from inside.
If you are using only keys, make sure they are managed, tracked, securely stored and backed up. The last thing you want is to have a machine die that has the only private key for your environment.
ELI5, please. I understand it for passwords laymen use, but why is my 128 random byte password less secure than a key?
low risk, do this. Keys (ed25519,4096 rsa) are impractical to brute force. However I'd also recommend:
- use a different port than 22 (add your .ssh/config for easier UX if needed) - port 22 can get incredibly noisy with tons of bots probing
- disable passwordAuth, disable PermitRootLogin - use a normal user with sudo for your ssh
- consider a vpn please - I use tailscale, but I hear headscale is good - then use UFW to only allow SSH from the tailscale network (I generally allow all network on tailscale). Tailscale wrote a guide on this here [1]
- do not add and forget authorized_keys from machines you arent using
- I'm especially worried about how people keep giving Clawdbot/Openclaw access to all their machines, key auth means the machine is authorized on your server
- For new servers I often just add all my public keys to them (github lists all your keys at github.com/GH_USERNAME.keys
1: https://tailscale.com/docs/how-to/secure-ubuntu-server-with-...
SSH is a risk because you’re trusting the users and client to not be idiots or get compromised. In general, people tend to do stupid things. If it’s just you and your server, potentially a different story.
It’s like sharing secrets with people, the more who are involved, the less likely the secret will be kept.
What's their alternative? I guess you could install frontpage extensions to manage content, but Microsoft's contractor for FrontPage extensions on unix and similar took the downloads down[1], so that's a lot of work. :P
[1] http://www.rtr.com/fpsupport/fp2002sr1_download.htm