Update on RegreSSHion

hvjunk hvjunk at gmail.com
Fri Sep 5 03:41:49 AEST 2025 


> On 04 Sep 2025, at 18:48, Gert Doering <gert at greenie.muc.de> wrote:
> 
> Hi,
> 
> On Thu, Sep 04, 2025 at 02:46:22PM +0000, Rene Malmgren wrote:
>> Would you put 1000 BTC on a system and have OpenSSH as a frontline software to protect it?
> 
> I would not put 1000 BTC on a system that is accessible via any means
> from the Internet.  This is how real men do "security".

Yeah that  one… the only secure computer, is one buried in a 100feet thick and deep steel enforced concrete container with no network en electricity supply… and even then I’ll have my doubts ;)
I do believe the only fail safe firewall is the side-cutter applied to both the network en power cables.
> 
> But if I had to, OpenSSH would be the least of my worries.  I guess I'd
> ensure that only pubkey auth is possible, that there is a firewall in 
> the way that only allows specific subnets that I trust, etc. - but that
> is general good hygiene.  Reduce blast radius.  Bugs happen.

Even subnets can’t be “trusted” once you’ve traversed an untrusted network… which makes for an interesting thing I can now do with IPv6… I have typically 64bits to use for a hash/mac to communicate with 0_o thanks that is an interesting  toy R&D

> Like, kernel bugs that are exploitable remotely... so, "do not put things
> on the Internet".

I’ll add that I’ll also NOT use a public Linux Distro, but OpenBSD that was  audited (Somebody once said: Trust, but verify) the the borders too.. 

> 
> gert 
> -- 
> "If was one thing all people took for granted, was conviction that if you 
> feed honest figures into a computer, honest figures come out. Never doubted 
> it myself till I met a computer with a sense of humor."
>                             Robert A. Heinlein, The Moon is a Harsh Mistress
> 
> Gert Doering - Munich, Germany                             gert at greenie.muc.de
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

More information about the openssh-unix-dev mailing list