[jcynix]

Every now and then I use GnuPG encrypted emails (or a web form) to my servers to open the firewall for certain IP addresses. If the server can decrypt such a message it can safely act on it.

The server's default is to only allow certain network ranges to access certain ports, e.g. from my local providers or employers networks.

[g_p]

Presumably you sign the emails rather than encrypt them?

Otherwise anyone who knew the public key of the server (which shouldn't be presumed secret) could send an encrypted instruction, and it would be acted upon, and past encrypted instructions could be replayed.

[jcynix]

> Presumably you sign the emails rather than encrypt them?

That's correct, encrypted and signed. Replaying wouldn't be easy because the payload contains a timestamp. The main purpose was to limit the networks which can attempt to connect to ssh and still allow me to have a fallback if I'd happen to be outside of the "usual" network ranges.

[anotherhue]

Doesn’t wireguard solve the same issue? Crypto key packet authentication?

[nwellinghoff]

Same question. Can someone chime in on how deploying this would be different from putting ssh behind wiregaurd? On first glance it looks like if you were ultra paranoid you could put this in front of wiregaurd and not even have to open up a udp port? Would that be an advantage to add a layer to secure wiregaurd against 0day?

[jcynix]

> Doesn’t wireguard solve the same issue?

Presumably, but my solution is quite a bit older and just a poor man's hack from about 20 years ago ...