[bigstrat2003]

SSH is not at all risky if you disable password authentication. There's essentially zero chance that someone guesses your private key, though you might get annoyed with all the login failures spamming your logs. Fail2ban helps with that if you care, though I don't personally bother these days.

[pseudohadamard]

A bigger problem I think would be someone discovering a pre-auth 0day in the code. So the important thing would be to not allow the entire internet unrestricted access to whatever's running the SSH server.

[null_deref]

So that’s generally my train of thought, but from what I know there were serious vulnerabilities discovered in OpenSSH throughout the years, doesn’t it increase the risk for open ssh port or were the vulnerabilities discovered never touched those areas of ssh authentication. Seems to me that tools like tailscale and so on aren’t open to this sort of risk but I definitely can be wrong

[lxgr]

The only one I can think of is the one on Debian where key generation used weak entropy, making keys guessable.

Given its sensitivity, OpenSSH is incredibly battle-hardened and probably better than almost everything else you can run on an exposed port.

[1718627440]

> SSH is not at all risky if you disable password authentication.

ELI5, please. I understand it for passwords laymen use, but why is my 128 random byte password less secure than a key?