On Fri, Apr 11, 2025 at 07:59:40PM +0000, Andy Smith wrote: > Hi, > > On Fri, Apr 11, 2025 at 08:12:14PM +0200, Marc SCHAEFER wrote: > > systemd dependancies that are activated on a Debian system imply a lot > > of library injections into sshd, much more than the stock OpenBSD ssh.
[...] > > What do you think about this approach? I'd be all for it, actually. > I think you're wasting your time and should not have sshd listen on the > public Internet at all, instead VPN in to your network and only have > sshd available on the inside. You already stated this. I don't think it is right, for two reasons: - you didn't explain how "a VPN's" mechanism is inherently more secure than sshd's, given that their mechanisms are all pretty similar. - Your category "a VPN" is hopelessly too broad (that's why I put it in quotes). What do you mean? IPSec? OpenVPN? Wireguard? CIPE? Some proprietary thing (there are loads of them)? Since security depends critically on implementation details and the dedication of the group behind the software, the above is quite relevant. So, share your wisdom with us: what makes ssh less secure than "a VPN"? Cheers -- t
signature.asc
Description: PGP signature
