So that’s generally my train of thought, but from what I know there were serious vulnerabilities discovered in OpenSSH throughout the years, doesn’t it increase the risk for open ssh port or were the vulnerabilities discovered never touched those areas of ssh authentication. Seems to me that tools like tailscale and so on aren’t open to this sort of risk but I definitely can be wrong
replyThe only one I can think of is the one on Debian where key generation used weak entropy, making keys guessable.
replyGiven its sensitivity, OpenSSH is incredibly battle-hardened and probably better than almost everything else you can run on an exposed port.
> SSH is not at all risky if you disable password authentication.
replyELI5, please. I understand it for passwords laymen use, but why is my 128 random byte password less secure than a key?
A bigger problem I think would be someone discovering a pre-auth 0day in the code. So the important thing would be to not allow the entire internet unrestricted access to whatever's running the SSH server.
reply