Hacker News new | ask | show | jobs
by mynameisnoone 896 days ago
Exactly. There are untold 10's to 100's of millions of critical infrastructure systems that cannot be upgraded containing insecure and horrible SSH implementations. Defense-in-depth by layers of other security measures and isolation permits them to be reasonably secure for their use prior to lifecycle replacement where possible.

Furthermore, no one should place remote access servers on the internet and should instead place them on a private, internal network behind an infrastructure VPN-jumpbox such as OpenVPN or Wireguard.

Only a few extremist developers in control of all of their own software and who don't have to interact with anything in the real world can maintain the idealistic purity to forever run only the latest version of everything.
1 comments
afavour 896 days ago
> idealistic purity to forever run only the latest version of everything

But the OpenSSH devs are specifically saying “just use the old version if you need this”?

link
mynameisnoone 896 days ago
You're sweeping several huge assumptions under the rug. While it might work for the moment incidentally but it isn't a long-term solution.
link
chlorion 896 days ago
I'm not sure that I understand this.

The openssh developers supporting outdated systems and software forever also isn't a long term solution. Why should they pay this cost, but not you (or your company)?

If you can keep unsupported hardware in operation, why can't you keep a containerized openssh image around, or maybe a VM image, or ideally a statically linked executable?

Maybe your company can hire an expert in software archival to set this up and maintain it if needed, or an extra developer to maintain an openssh fork that supports your environment.

Expecting other people (who you don't even pay) to support your outdated systems doesn't really make sense.

link
afavour 896 days ago
It seems only fair to me that if someone is insisting that they must connect to ancient systems that they should be expected to use only-slightly ancient software to do so. Or fork it, of course. If the team doesn’t want to be responsible for maintenance you’re welcome to take it on.
link