With ssh, over 90% of the vulnerabilities are abusing the password mechanism. If you setup pre-shared keys, you are preventing the most common abuses, including in the realm of zero days.
The idea behind keys is always, that keys can be rotated. Vast majority of websites to that, you send the password once, then you get a rotating token for auth.
Most people don’t do that, but you can sign ssh keys with pki and use that as auth.
Cryptographically speaking, getting your PW onto a system means you have to copy the hash over. Hashing is not encryption. With keys, you are copying over the public key, which is not secret. Especially managing many SSH keys, you can just store them in a repo no problem, really shouldn’t do that with password hashes.
Passwordless login only. No root login. Fail2ban. Add ufw to stop accidental open port shenanigans, and you are locked down enough
We can go harder: port knock to open the port to a cert-only VPN (on top of all that)
https://wiki.archlinux.org/title/Port_knocking
Felt a bit like a faff to me, so I never bothered. Does depend upon your threat model though
Totally.
Port knocking is one of those “of course someone did that” things to me too. A replay attack is enough to make it security theater.
An IP allowlist is a more useful addon.
Never understood this
I don’t think that anyone or anything, computer or mentalist, will guess my 40+ characters long password
With ssh, over 90% of the vulnerabilities are abusing the password mechanism. If you setup pre-shared keys, you are preventing the most common abuses, including in the realm of zero days.
Oh I see, ty !
Are you setting and managing other’s passwords?
Especially paired with Fail2Ban preventing any brute force attempts.
But with a WireGuard setup, you need not have the port exposed at all.
The idea behind keys is always, that keys can be rotated. Vast majority of websites to that, you send the password once, then you get a rotating token for auth.
Most people don’t do that, but you can sign ssh keys with pki and use that as auth.
Cryptographically speaking, getting your PW onto a system means you have to copy the hash over. Hashing is not encryption. With keys, you are copying over the public key, which is not secret. Especially managing many SSH keys, you can just store them in a repo no problem, really shouldn’t do that with password hashes.