Re: Limiting attack surface for Debian sshd

To: debian-user@lists.debian.org
Subject: Re: Limiting attack surface for Debian sshd
From: Andy Smith <andy@strugglers.net>
Date: Sat, 12 Apr 2025 09:03:09 +0000
Message-id: <Z/osTQTaWwklOC/R@mail.bitfolk.com>
In-reply-to: <Z/oYyRzTQNRpqnPK@alphanet.ch>
References: <Z/lbflFSAPGvvIeG@alphanet.ch> <Z/l0rHF84CapBU5R@mail.bitfolk.com> <Z/n5AUbsLCtq3mbB@tuxteam.de> <Z/oYyRzTQNRpqnPK@alphanet.ch>

Hi,

On Sat, Apr 12, 2025 at 09:39:53AM +0200, Marc SCHAEFER wrote:
> sometimes, yes, I think [VPNs] are overblown compared to a "simple"
> ssh server.

I think that a decent modern VPN solution is much simpler than OpenSSH
and especially when your alternative is recompiling OpenSSH to remove
dependencies that you think you don't need.

> Wireguard, for example, is mostly kernel-side BTW.
> 
> I do not assume those kernel codes are unsafe, I am pretty sure they
> have audited them. It just makes the attack surface much bigger.

I am pretty confident that the amount of code that can be reached by
strange packets from the Internet side is going to be a lot smaller with
WireGuard.

It's going to be quite difficult to prove either way though, so let's
just agree to disagree.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Reply to:

References:
- Limiting attack surface for Debian sshd
  - From: Marc SCHAEFER <schaefer@alphanet.ch>
- Re: Limiting attack surface for Debian sshd
  - From: Andy Smith <andy@strugglers.net>
- Re: Limiting attack surface for Debian sshd
  - From: <tomas@tuxteam.de>
- Re: Limiting attack surface for Debian sshd
  - From: Marc SCHAEFER <schaefer@alphanet.ch>

Prev by Date: Re: Reverting back to the previous Chromium version
Next by Date: Re: Limiting attack surface for Debian sshd
Previous by thread: Re: Limiting attack surface for Debian sshd
Next by thread: Re: Limiting attack surface for Debian sshd
Index(es):
- Date
- Thread