Thoughts on having SSH allow password authentication from the Internet
70 comments
·January 18, 2025sshine
juangacovas
Same here, PasswordAuthentication is globally No, but I always hold an special username for emergencies which is the only user allowed to login via password (easy at sshd_config file, Match User xxxx then "PasswordAuthentication yes"). Besides emergencies, also works wonders when some sysadmins insist to login via bare metal terminal and cannot use a key...
jasonm23
> sysadmins insist to login via bare metal terminal and cannot use a key...
In 2024 how is this an employed person.
fak3r
This has been my practice for 20+ years of running SSH, that and using Ansible to keep sshd hardened. https://github.com/dev-sec/ansible-collection-hardening/tree...
sshine
I also harden my sshd_config.
I mainly disabled all legacy cryptography and types of tunnelling/forwarding that I don't rely on:
https://gist.github.com/sshine/e42ecb7f9d7432e6df331eefdd490...
I also only expose SSH on public interfaces on one machine; all other machines have SSH over VPN.
sam_lowry_
I configure password login for root on on standard port for all servers I personally control. Moreover, they all have the same root password.
Over the 20+ years, I witnessed a few security incidents. None was related to ssh, let alone a break in via a weak password.
But I ran into many situations when I needed immediate access to the server and this setup saved my day, my money and my nerves.
jand
sry to be that guy (with a snarky comment):
> Over the 20+ years, I witnessed a few security incidents.
As you said, the attackers who breached your system had ssh root access and you had no chance to detect them.
sam_lowry_
Attackers attack for a reason. For targets like my servers, they mostly want to install mining software or a DDoS bot. This is detectable via cpu or network monitoring.
I assume if someone wanted to extort money from me after encrypting the disks on my servers, I would also be somehow informed.
enkrs
If the argument for a password login is being able to log in from anywhere, just store a spare ssh key (password protected) in your gmail or similar that's reasonably safe and accessible from anywhere.
But I'm having hard time imagining those "anywhere" machine scenarios. Strangers machines that you trust enough to connect to your servers, and are able to install putty or your preferred ssh client of choice on? Better just have SSH on your own phone and laptop.
sam_lowry_
> I'm having hard time imagining those "anywhere" scenarios
Hold my beer.
You ski in the Alps, its noon, and you get an alert that your DB is down.
You know this may happen because of invasive bots, and you know what to do, so you just find a calm spot at the high-altitude cafe, ssh from the phone, find the infringing bot's IPs, block them with ipset and send yourself an email to deal with the problem properly later.
Then you ski happily until dusk, knowing that users won't be affected.
saurik
I think "anywhere" here has to mean "any random device you come across", not merely "any strange location", as the premise is being able to log in with just a password rather than a key... I often use my phone to do tasks, but I do it with an ssh key on my phone.
kenhwang
Back when I worked from my phone while in the ski lift line, the solution really is to keep an SSH key on the phone if I intended to do any work from it.
If I really had to access work resources from any random device, I'd go through the ordeal of logging into the SSO to log in to the web console to open a temporary cloud SSH session with the multiple layers of 2FA and probably even SecOps manual approvals that's likely required.
commandersaki
For some reason I don't mind an ephemeral SSH session on a random device but I'm less likely to do webmail/email.
doorsopen
As someone who works with SREs every day, this breaks my heart.
1 - Don't be on-call while going to ski
2 - fail2ban and other automated systems can do this for you
3 - Passwords suck and are typically not regularly rotated unless you're using some centralized IdP
If you're in this situation you have already failed. If you use password auth use 2FA as well, and then I don't cry, it's just toil though.
sam_lowry_
1. It breaks my heart to see indie dev spirit die even on HN.
2. it's brittle and too automated to my taste. There may be false positives that I'd fait to review if it was too automated.
3. There should be a very limited set of passwords for your main assets. For instance, one for infrastructure, one for a password manager, one for the safe at home. And they should never be rotated. They are meant to be ingrained in muscle memory and stay with you for many years.
xorcist
> ssh from the phone
That strengthens the previous commenters point. That personal phone is not an "anywhere" device but one that already carries the necessary software and can both interface your yubikey or carry your encrypted keys.
A better example would be the same ski trip but where the data connection is bad on nonexistent so you borrow the hotel's computer to make the emergency fix.
We used to do things like that, complete with post trip password rotations. I carried a laminated card in my wallet with the important key fingerprints. But with devices like the yubikey and cheap international data roaming, that has gotten less common.
sam_lowry_
A Google or Apple phone carrying encryption keys to my precious servers? Hm... I feel already pwned.
Jokes aside, I can not be bothered installing ssh keys on my phone. Phones change, get broken or stolen. Ssh clients on phones change as well and can not always be relied upon. I want to be 100% sure I can have ssh access to my servers in whatever improbable situation.
As for Yubikey... I used it for a while as a keyboard emulator to generate a string to prepend to my corporate laptop password that had insane strength requirements.
For personal and small business auth... it is too complex and brittle.
And frankly, what's the problem with a strong password? Like... a quote from Netzsche translated in a mix of French and Dutch with a couple special chars thrown in?
sam_lowry_
Another one: you sold an online business and forgot about it until the moment the buyer contacts you asking for a meeting exactly when you decide whether you want to go to the bomb shelter or risk staying in the appartment building so conveniently located next to a damb that protects Kyiv from flooding.
You decide that staying on the 9th floor on the path of cruise missiles to the damb is too risky, pick your good old Toughbook that has enough juice to last until dawn, and go downstairs, asking the buyer over phone to reset the root password and send it over whatsapp.
Once installed in the shelter, you quickly realize the disk is full, clean the logs and give furter instructions to the buyer to pass on to his IT.
teruakohatu
Instead: you WhatsApp your public ssh key to the buyer and login once they confirm your key has been added.
I have had to send my ssh pub key over all sorts of messaging platforms.
cyberpunk
If I’m skiing in the alps there’s no fucking way I am on call, and you shouldn’t accept it either…
sam_lowry_
Can you imagine that some people are their own bosses, with no backup whatsoever?
ruthmarx
It's convenient and fail2ban/crowdsec is generally a sufficient safeguard. Bruteforcing isn't realistic so you just have to keep an eye on vulns.
Key auth is obviously better, but password auth is not as bad as many people like to pretend.
robador
I was just playing around with this problem. I ended up firewalling the SSH port for all but my personal IP, then have wireguard set up so I can use it from within my wireguard network. Works perfectly so far as long as I have my clients set up.
nickdothutton
Had my mind drifting back to days of S/Key [1] and little scraps of paper with crossings out on them.
TMWNN
It's still a very valid solution.
I used S/KEY for years when I wanted to log into a remote system from a machine I didn't control. I didn't care so much about keystrokes being intercepted; I did care about my password being intercepted. S/KEY (or OPIE, depending on system) let me log in/sudo without exposing said password. I never carried around a preprinted list of codes, rather using a generator on my PDA.
It's possible to do the same thing with `pam_google_authenticator`; that is, having that OTP being the only required password, for the same reason. Nowadays this is the easier solution to go with,[1] because there are multiple OTP generator clients on all platforms, but almost all tutorials assume OTP being used for 2FA and not the only password so some more familarity with PAM beyond the tutorials is needed.
[1] Barring the requirement for read/write access to the secrets file, which SELinux complicates
timewizard
> This is something that I probably care about more than most people, because as a system administrator I want to be able to log in to my desktop even in quite unusual situations.
If I understand correctly you can have your SSH key entirely on a Yubikey if you use PIV or OpenPGP.
denysvitali
Yes, this.
GPG supports smartcards (yes, the plastic smartcards) since ages. The Yubikey will appear as a smartcard on GPG and will work on pretty much sny setup.
null
pointlessone
Does every random system automatically picks up Yubikey? Does SSH on all platforms find that key?
jazzyjackson
Up to date systems should support it since about 2021
To get started you’ll need OpenSSH version 8.2 or later, and you’ll also need libfido2 installed. Windows users may need to use Cygwin for this.
https://www.yubico.com/blog/github-now-supports-ssh-security...
null
computerfriend
Now you can drop the PIV or PGP dependencies. OpenSSH can use webauthn to derive SSH keys.
silisili
I've found that just moving it off 22 reduced credential guessing attempts by 100%.
WhyNotHugo
I use a Yubikey with ssh keys, and suddenly I have my ssh keys available anywhere, while I also avoid them being stored in any single host.
AnonymousPlanet
The first time I actually read this as "... and suddenly I can lose my ssh keys anywhere"
pluto_modadic
why not both? :D
commandersaki
I allow password based auth to my VPS because keys are not always a possibility, and I listen on port 22 (and port 25, 465, 587, 993) because I like the convenience.
However I use some simple restrictions such as AllowUsers and pubkey auth only for root.
I think this is a reasonable defence against typical ssh dictionary attacks.
l0ng1nu5
Why not use port knocking as well?
doorsopen
Port knocking is so 2014. Single Packet auth for publicly exposed hidden services is great: https://github.com/mrash/fwknop
rwmj
What's the best way to set up port knocking on a Fedora / Debian server? While not a security measure per se, it adds a layer of obfuscation which blocks random scanners.
c64d81744074dfa
Not sure if this is the best, but I use nftables and this article helped me setup port knocking on a debian server: https://home.regit.org/2017/07/nftables-port-knocking/
Then I added a tripwire feature to make it less likely that a random port traversal would be successful. Here's a snippet of my nftables.conf:
define KNOCK_PORT1 = 20000
define KNOCK_PORT2 = 30000
define KNOCK_PORT3 = 10000
define TRIPWIRE_PORT1 = 15000
define TRIPWIRE_PORT2 = 25000
table inet filter {
.
.
set allowed_ssh {
type ipv4_addr
flags timeout
elements = { $HOME_IP, $OTHER_SERVER_IP }
}
# track port knocking
set knock1 {
type ipv4_addr
timeout 5s
}
set knock2 {
type ipv4_addr
timeout 5s
}
set banned {
type ipv4_addr
timeout 1m
}
# handle port knocking
chain raw {
type filter hook prerouting priority raw;
policy accept;
ip saddr @banned tcp dport { $KNOCK_PORT1, $KNOCK_PORT2, $KNOCK_PORT3} log prefix "nft banned: " drop
tcp dport $KNOCK_PORT1 set add ip saddr @knock1 log prefix "nft knock1: " drop
ip saddr @knock1 tcp dport $TRIPWIRE_PORT1 set add ip saddr @banned log prefix "nft tripwire1: " drop
ip saddr @knock1 tcp dport $KNOCK_PORT2 set add ip saddr @knock2 log prefix "nft knock2: " drop
ip saddr @knock2 tcp dport $TRIPWIRE_PORT2 set add ip saddr @banned log prefix "nft tripwire2: " drop
ip saddr @knock2 tcp dport $KNOCK_PORT3 set add ip saddr @allowed_ssh log prefix "nft knock3: " drop
}
}cyberpunk
I just stick remote access on tailscale interfaces these days. If something goes astronomically wrong I can get in via my cloud providers console access too.
I really don’t understand why people run sshd on the open internet anymore.
I only accept keys on non-standard SSH ports.
Less spam traffic, easier to access.
Rejecting passwords is just as much a convenience nowadays:
I just don't have passwords on my remote machines any more.