Hacker News new | past | comments | ask | show | jobs | submit login

It's not that different from having the same user/password accessible via ssh. It's best to not have direct access to important machines anyway, and go for a bastion or similar service.

But... you can switch to Kerberos SSO, or setup smart cards login instead.

You can also use it kind of like a jump host and do ssh keys I to secondary server.

I find it cool to give nice way to access in environments where ssh is not allowed by default, but https is. It's sometimes easier to setup proxies/reverse proxies in corporate forest instead of opting for direct ash access.




Wait, who's using SSH pass auth?

Folks, private keys. Change your SSH port and use an SSH tarpit on port 22.


How necessary is it to change ssh ports? You can't really spray/brute force a private key


It's not "necessary", but, when combined with a tarpit on port 22:

1. You can monitor if your private key is compromised and automatically rotate it.

2. It's fun to mess around with hackers and script kidies.


The tarpit on 22 is amazing. I love looking at all the access logs every fee months and seeing connection attempts that last minutes.


> user/password accessible via ssh

This is the first thing you should disable as soon as your public key is on the server.


I think most people who are serious have disabled ssh password authentication.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: