Re: Limiting attack surface for Debian sshd
- To: debian-user@lists.debian.org
- Subject: Re: Limiting attack surface for Debian sshd
- From: Marc SCHAEFER <schaefer@alphanet.ch>
- Date: Sat, 12 Apr 2025 09:39:53 +0200
- Message-id: <Z/oYyRzTQNRpqnPK@alphanet.ch>
- In-reply-to: <Z/n5AUbsLCtq3mbB@tuxteam.de>
- References: <Z/lbflFSAPGvvIeG@alphanet.ch> <Z/l0rHF84CapBU5R@mail.bitfolk.com> <Z/n5AUbsLCtq3mbB@tuxteam.de>
Hello,
Jumping into your interesting ssh vs VPN discussion:
On Sat, Apr 12, 2025 at 07:24:17AM +0200, tomas@tuxteam.de wrote:
> - you didn't explain how "a VPN's" mechanism is inherently more
> secure than sshd's, given that their mechanisms are all pretty
> similar.
I agree. Especially since the idea here is to create a jump host,
it has all advantages of a VPN (can be on a separate host,
can be handled with firewall rules), much the same.
I am also a fan of VPNs, BTW. Sometimes they are very
useful too. But sometimes, yes, I think they are overblown
compared to a "simple" ssh server. They may however offer
more features in some cases (namely UDP tunnelling and
maybe simpler integrations on non standard OSes like Microsoft,
that I don't use).
> - Your category "a VPN" is hopelessly too broad (that's why I
> put it in quotes). What do you mean? IPSec? OpenVPN? Wireguard?
> CIPE? Some proprietary thing (there are loads of them)?
Yes.
On the subject of attack surfaces, let's talk about OpenVPN:
schaefer@reliant:~$ ldd /usr/sbin/openvpn
linux-vdso.so.1 (0x00007ffedb3b3000)
liblzo2.so.2 => /lib/x86_64-linux-gnu/liblzo2.so.2 (0x00007fa13453a000)
liblz4.so.1 => /lib/x86_64-linux-gnu/liblz4.so.1 (0x00007fa134517000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fa1344f5000)
libpkcs11-helper.so.1 => /lib/x86_64-linux-gnu/libpkcs11-helper.so.1 (0x00007fa1344d6000)
libssl.so.1.1 => /lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007fa134443000)
libcrypto.so.1.1 => /lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007fa13414f000)
libsystemd.so.0 => /lib/x86_64-linux-gnu/libsystemd.so.0 (0x00007fa134098000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fa134092000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fa133ebe000)
/lib64/ld-linux-x86-64.so.2 (0x00007fa13465d000)
librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007fa133eb4000)
liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007fa133e8c000)
libzstd.so.1 => /lib/x86_64-linux-gnu/libzstd.so.1 (0x00007fa133db1000)
libgcrypt.so.20 => /lib/x86_64-linux-gnu/libgcrypt.so.20 (0x00007fa133c8f000)
libgpg-error.so.0 => /lib/x86_64-linux-gnu/libgpg-error.so.0 (0x00007fa133c69000)
It looks a bit narrower than stock sshd on Debian, but you can find the
same "interesting" libs. Also, I wonder if OpenVPN has similar
privilege separation as ssh. They seem to have though about it:
https://community.openvpn.net/openvpn/wiki/PrivilegeSeparation
but it does not look as streamlined as SSH (I might be wrong).
NB: however, some recent OpenVPN releases might also run with a kernel
module, which augments the attack surface considerably -- I don't use it
yet, but you might find it necessary for high workloads (stock OpenVPN is
1-core for compression/encryption). SSH is one-process-per-user,
so it should scale better in my workloads.
Wireguard, for example, is mostly kernel-side BTW.
I do not assume those kernel codes are unsafe, I am pretty sure they
have audited them. It just makes the attack surface much bigger.
> Since security depends critically on implementation details and
> the dedication of the group behind the software, the above is quite
> relevant.
Agree.
Reply to: