Ask HN: Is Connecting via SSH Risky?

3•atrevbot•1h ago

I have been managing websites for a while and usually utilize SSH connections to login to, deploy code to, and otherwise remotely access the hosting servers.

I was recently informed that a client I work with considers that a legal risk.

If the SSH connection is set to disallow passwords and only authorize via SSH keys, how big of a risk is this?

Comments

phren0logy•1h ago

Compared to what?

DamonHD•1h ago

Indeed.

atrevbot•1h ago

They seem to be okay w/ only HTTP ports being open on the server (80, 443). They "found that open ports can lead to cyber claims".

bediger4000•16m ago

That's like saying that open bottles lead to alcoholism.

robertcope•33m ago

How else would you do it?

rl3•21m ago

Best practices usually call for not exposing the SSH endpoints to the public internet. The principal risk is vulnerabilities in the underlying SSH server implementation. Historically, critical flaws that can compromise you are few and far between. However, these days AI is already starting to become adept at reverse engineering.

If you must, you'd typically use a bastion host that's configured just for the purpose of handing inbound SSH connections, and is locked down to a maximal degree. It then routes SSH traffic to your other machines internally.

I'd argue that model is outdated though, and the prevailing preference is putting SSH behind the firewall on internal networks. Think Wireguard, Tailscale, service meshes, and so on.

With AWS, restricting SSH ports via security groups to just your IP is simple and goes a long way.

verdverm•18m ago

Runs counter to my understanding, I'd ask for clarification and find support material to show your approach is safer.

Treat it as a teaching moment for them

speleolinux•17m ago

If your private key has a good passphrase and is suitably encrypted, say with ed25519, then that's probably as good as you can do other than physically going into work and storing everything in your head :-) Politely ask the client to suggest what they consider would be a suitable alternative. I also setup git hooks to prevent accidentally checking in private keys or passwords into git or other version control systems. And if I'm travelling into or from work I also encrypt some stuff just in case I have a problem and the laptop is stolen.

MLM Software Development

Is AI the Next Climate Change?

Show HN: Skill Gen: A meta skill for auto-generating skills from docs

We built a serverless GPU inference platform with predictable latency

Bridge AI with SKills

Show HN: Anoncast: Turn Blogs into Podcasts

InvoiceBingo

Game Boy Advance Audio Interpolation

When internal hostnames are leaked to the clown

Replit's Recent Pricing Change Is About Trust, Not Credits

Study: Older Cannabis Users Have Larger Brains, Better Cognition

NASA acknowledges the elephant in the room with the SLS rocket

New DeepSeek Research – The Future Is Here [video]

ICE seeks industry input on ad tech location data for investigative use

Claude Cowork and the Case of SaaSpocalypse

Show HN: An AI-Powered President Simulator

Astronauts Are Going Back to the Moon for the First Time in Half a Century

The CIA Is Sunsetting the World Factbook

Climate Change Economic Models Omit Shocks, Likely Flawed

Show HN: A text format for UI wireframes – comparing token costs across 4 format

Show HN: FIPSPad – a FIPS 140-3 and NIST SP 800-53 minimal Notepad app in Rust

Mick Jagger "Memo from Turner" (1970) [video]

Show HN: Use Claude Code to Query and Analyze Your Finances

4-Hour Builds: Anatomy of a Developer Experience Collapse

Spellcasting

OpenClaw Is Lonely [video]

Strava removes 2.3M rides from leaderboards in clampdown on cheats

Constant 14ms attention: 512→524K tokens (24.5x faster than FlashAttention)

Sequoias Need for Churn

Investigators found 'concerning similarities' between Reedley, Las Vegas labs