[landemva]

The consoles at big hosts typically require good 2fa to log in to the web management console, which typically can open a command line on the instance. This is a nice authN layer.

[Jiocus]

Note that it's possible to configure multi-factor authentication using e.g. one-time password (OTP) for those regular openssh logins. The setup to achieve that still seem quite involved though, so the reluctant sysadmin in me haven't got around to try it.

Multiple factors:

1FA: Password(1F) OR private key (password blank)(1F)

2FA: Private key(1F) with password(2F)

MFA: Private key(1F), w/ password(2F) AND OTP(3F)

[onlypositive]

And have to use their shitty webui?

Ssh has 2fa options if that's the real reason.

Fwiw, this guide also suggests setting up a wg connection which is no better than ssh, and probably worse in some ways.

[vel0city]

It doesn't need to be through the web UI, it can be done through the cli.

https://docs.aws.amazon.com/systems-manager/latest/userguide...

Google Cloud has a similar gcloud compute ssh instance-name command, and I imagine there's a similar one on azure.

[onlypositive]

That's ssh?

[vel0city]

There's massive differences of using this compared to throwing some keys on a server and opening 22. These systems use the cloud provider's proxying and authz/authn to dynamically grant access.

One could have a box with no public IP and no open ports and still use this to connect.

[onlypositive]

Cloud providers proxying?

Via ssh? With an SSH key? Over port 22?

[vel0city]

> Via ssh?

No, through their in-house proxy tools such as Session Manager or Identity Aware Proxy or whatever Azure has.

> With an SSH key?

Not at the edge, and not an SSH key you manage. A dynamically generated one managed by the cloud provider which exists just for that session. So, not really, not like you're thinking.

> Over port 22?

For the tunnel? No.