Hacker News new | ask | show | jobs
by hnlmorg 747 days ago
Yeah, they exist because nothing better was available at that time.

It doesn’t hurt to have this functionality in openssh too. If you still need to use fail2ban, denyhosts, or whatever, then don’t enable the openssh behaviour feature. It’s really that simple.
1 comments
usrbinbash 747 days ago
How is baking this into sshd "better"?

UNIX Philosophy: "Do one thing, and do it well". An encrypted remote shell protocol server should not be responsible for fending off attackers. That's the job of IDS and IPS daemons.

Password-based ssh is an anachronism anyway. For an internet-facing server, people should REALLY use ssh keys instead (and preferably use a non-standard port, and maybe even port knocking).

link
hnlmorg 746 days ago
It’s better if you want an out of the box secure experience. This might be quite a nice default for some VPSs.

If you have a IDS and IPS set up then you’re already enterprise enough that you want your logs shipped and managed by a single pane of glass. This new SSH feature isn’t intended to solve enterprise-level problems.

Plus if you want to argue about “unix philosophy” with regards to SSH then why aren’t you kicking off about SOCKS, file transfer, port forwarding, and the countless other features SSH has that aren’t related to “shell” part of SSH? The change you’re moaning about has more relevance than most of the other extended features people love SSH for.

link
usrbinbash 745 days ago
> This new SSH feature isn’t intended to solve enterprise-level problems.

But service level security features have the potential to cause enterprise-level problems.

Sure, in an ideal world, all admins would always make zero mistakes. And so would the admins of all of our clients, and their interns, and their automated deployment scripts. Also in that perfect world, service level security features would never be on by default, have the same default configuration across all distros, and be easy to configure.

But, alas, we don't live in a perfect world. And so I have seen more than one service-level security feature, implemented with the best of intentions, causing a production system to grind to a halt.

link
hnlmorg 745 days ago
> But service level security features have the potential to cause enterprise-level problems.

Only if you don’t know what you’re doing. Which you should given you’re paid to work on enterprise systems.

Whereas not having this causes problems for users are not paid to learn this technology.

So it seems completely reasonable to tailor some features to lesser experienced owners given the wide spectrum of users that run openssh.

link