[szszrk]

It's not that different from having the same user/password accessible via ssh. It's best to not have direct access to important machines anyway, and go for a bastion or similar service.

But... you can switch to Kerberos SSO, or setup smart cards login instead.

You can also use it kind of like a jump host and do ssh keys I to secondary server.

I find it cool to give nice way to access in environments where ssh is not allowed by default, but https is. It's sometimes easier to setup proxies/reverse proxies in corporate forest instead of opting for direct ash access.

[rmbyrro]

Wait, who's using SSH pass auth?

Folks, private keys. Change your SSH port and use an SSH tarpit on port 22.

[FergusArgyll]

How necessary is it to change ssh ports? You can't really spray/brute force a private key

[rmbyrro]

It's not "necessary", but, when combined with a tarpit on port 22:

1. You can monitor if your private key is compromised and automatically rotate it.

2. It's fun to mess around with hackers and script kidies.

[twosdai]

The tarpit on 22 is amazing. I love looking at all the access logs every fee months and seeing connection attempts that last minutes.

[worksonmine]

> user/password accessible via ssh

This is the first thing you should disable as soon as your public key is on the server.

[sneak]

I think most people who are serious have disabled ssh password authentication.