Yes, if you follow the advice of "not exposing anything unless you deployed the ... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

yorwba on Jan 29, 2024 | parent | context | favorite | on: I looked through attacks in my access logs

Yes, if you follow the advice of "not exposing anything unless you deployed the security for it" of course you block password auth before exposing SSH to the internet.

Not everyone is following that advice. Just last week I taught a friend about using tmux for long-running sessions on their lab's GPU server, and during the conversation it transpired that everyone was always sshing in using the root password. Of course plugging that hole will require everyone from the CTO downward to learn about SSH keys and start using them, so I doubt anything will change without a serious incident.

op00to on Jan 29, 2024 [–]

> Of course plugging that hole will require everyone from the CTO downward to learn about SSH keys and start using them

I had a similar issue 15 years ago, and tied the Linux boxes into Active Directory and authenticated via Kerberos. Worked nice, no SSH keys needed!

Join us for AI Startup School this June 16-17 in San Francisco!
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact