On Sat, Apr 12, 2025 at 09:39:53AM +0200, Marc SCHAEFER wrote: > Hello, > > Jumping into your interesting ssh vs VPN discussion:
[...] Thanks for all those interesting details. To sum up, I'd concur with Andy in one point: *if* you are running a VPN anyway, it's better to hide you SSH behind that. Otherwise, I tend to disagree. I'd expect OpenSSH to be far better audited... > I do not assume those kernel codes are unsafe, I am pretty sure they > have audited them. It just makes the attack surface much bigger. ... than probably anything else out there (available to mere mortals, not in NSA'a deep belly or any other mythical beast). Of course, it gets its share of auditing love by the Bad Actors, too, so there you are. Setting up a VPN to "just" protect an SSH access seems like a bad use of resources to me. Invest those in your SSH daemon's setup (misconfiguration being probably the most widespread source of security flaws). But... it's always a bet, since no one of us knows everything. Cheers -- t
signature.asc
Description: PGP signature
