Hacker News new | ask | show | jobs
by discardedrefuse 1659 days ago
Not OP, but I was wondering why use spiped instead of simply sshd with passwords disabled. If anyone else was curious, this is what I found on the spiped website:

"You can also use spiped to protect SSH servers from attackers: Since data is authenticated before being forwarded to the target, this can allow you to SSH to a host while protecting you in the event that someone finds an exploitable bug in the SSH daemon -- this serves the same purpose as port knocking or a firewall which restricts source IP addresses which can connect to SSH."
2 comments
acatton 1659 days ago
Top comment poster here, yes. I use spiped as a 256bit-combination port knocker. The goal is to protect against vulnerabilies in OpenSSH :)
link
spekcular 1659 days ago
Since that explanation is somewhat terse, and I don't know anything about security, let me ask a few questions.

Am I right that the failure mode spiped protects against is someone finding an exploit that allows them to bypass ssh logins that are set to (for example) public key authentication? So if one is not worried about this, there is no point?

Further, am I correct that what spiped does in this scenario is add a second layer of encryption, so that one must first bypass spiped in order to attempt an exploit against the ssh daemon? Then, in effect, spiped acts as a small, isolated, and auditable "condom" that can be used with any public-facing service?

link
marcosdumay 1659 days ago
What I read from that paragraph is "Spipe will block unknown computers from accessing your server's SSH (like a firewall). This provides an extra layer of security (equivalent to such a firewall) in case somebody finds a flaw on ssh."

I didn't dig into it enough to be sure, but it looks to me that spipe uses the same encryption as ssh. So, it won't protect you against crypto attacks, just restrict what computers those may come from.

For any other kind of service, spipe will tunnel it under a layer of encryption. Quite like you can do with bare ssh, but spipe is built for it and thus is more usable on that task.

link
spekcular 1659 days ago
If I'm reading correctly, spiped uses Diffie–Hellman for public key cryptography, while contemporary best practices suggest using elliptic curve crypto with shh (e.g. see [0]). So, for the truly paranoid, it might also provide some protection against crypto attacks too?

Note that the NSA can break 1028-bit DH [1], but spiped uses 2048-bit.

[0] https://docs.github.com/en/authentication/connecting-to-gith... [1] https://blog.securegroup.com/did-the-nsa-really-break-diffie...

link
discardedrefuse 1659 days ago
I am also not a security expert. But you seem to be correct in both cases. The spiped website also has an example of encrypting SMTP traffic between two servers in an spiped condom.

https://www.tarsnap.com/spiped.html

link