Void's Forums

I wanted to post a question out there to get people's opinion: Is SSH really bad?

The reason for my question is I was dealing with an IT manager/security guy of a client when I was discussing how our system operates. It uses rsync over ssh to communicate with my server to sync directories. It logs in using the SSH keys. Coming from our previous windows system, it is a huge improvement. I shouldn't have to go into discussion on why in this forum

The response I got from this guy was SSH is terrible and shouldn't be used. He didn't really go into detail, and as a potential customer, I bit my lip. I am not sure of his credentials, but he was the head of their IT and in charge of security. Granted, a title doesn't give him the expertise to back up his statement, he could be the nephew of the owner, for all I know. But I wanted to see if there are opinions out there that may back this up. It came up again today where the ITSEC department is questioning the use of SSH as a communication method. They are fine with SSL but are red-flagging the SSH until they see documentation of its use.

I can't imagine he would have had a problem with it in a security context especially if your ssh ports are restricted using iptables. The only thing I can imagine is if your ports are open to the world you expose yourself to a brute force login attempts that could allow login to an account if a password is guessed. Of course that assumes you allow password login and your ssh ports are exposed to the world. It would certainly be interesting to hear more about this. :)

well, on my initial server, we have port 22 open to the world, but I have sshblack running that dynamically adjusts my iptables based on four bad user or password attempts. seems to work pretty good. My next server which is on its way up, I am using a non standard port for the SSH communications. I really don't have much to give as far as a reason why this people are questioning the use of SSH, so that is why I posted the question.

Yeah, I don't get it either. ssh is about as secure as it gets (as long as it's configured securely as mentioned). You could go completely key based and not allow any password logins. That would be even more secure.

I thought about that. Do you know off hand if I can just allow certain users password auth and the rest use keys? That way I could give the users that support our system the ability to login and not call me when their keys are messed up we are only talking about four other people right now

Well, I know you can restrict SSH to specific users but I don't know if you can specify one is allowed to use password and one isn't. There usually is a way to do just about anything but I would have to dig into it.

I found out the reason that the IT SEC department I was just recently dealing with was concerned about the ability to do the ssh-backdoor. I guess that is a legit concern from an IT security department! Ironically, if we need temporary remote access to a clients device that we support, we have the technician open an ssh-backdoor temporarily.