from Hacker News

Show HN: Caddy-SSH

by m_sahaf on 3/28/22, 2:19 PM with 131 comments

by m_sahaf on 3/28/22, 2:26 PM
Hi everyone! Author here
This has been my stress-reliever for the past ~2 years. I'm sticking around, so feel free to ask any questions.
Github Repo: https://github.com/mohammed90/caddy-ssh
by jon-wood on 3/28/22, 3:10 PM
What's the benefit of this being built on top of Caddy, which unless I'm mistaken has historically been an HTTP(S) server? Maybe there's someone intrinsically great about how Caddy works for this, but on first glance it feels like the scope creep in servers like Apache, or Curl's support for querying every data source under the sun. It can be handy having a single tool that does everything, but at the same time that gives an ever larger attack surface where suddenly your machine has been compromised via instructions from an MQTT server because Curl was installed.
by yjftsjthsd-h on 3/28/22, 2:43 PM
> The ISRG estimates ~80% of the vulnerabilities exploited in the wild are memory safety bugs.
Okay, but 1. How many vulnerabilities has openssh shipped, and 2. How many of those were memory issues? I would usually be tentatively on board, but you're competing with the OpenBSD folks, who have a shockingly good track record regardless of using C. No offense, but you could write in a formally verified Ada subset and I'd still hesitate to replace my SSH daemon.
(FWIW, I say all of this hoping to be wrong; an alternative implementation, if equally secure, would be great to have.)
by sneak on 3/28/22, 4:11 PM
Note that outsourcing your key list to a live GitHub URL gives Microsoft unfettered access to your box, should they (or anyone who can compel them, such as the US armed forces) ever want or need it.
If you wouldn't use Microsoft SSO for local login, you should not thus configure your sshd that way.
by g_p on 3/28/22, 4:03 PM
This looks very interesting. Is there any support (or plans) for SSH certificates? They help to manage some of the revocation and access control challenges, as well as the issues around trust-on-first-use and similar. (And also the fragility of syncing around authorized-keys files, or relying on LDAP for login, in infrastructure type environments).
See also - https://news.ycombinator.com/item?id=30788544
by GordonS on 3/28/22, 2:58 PM
Pluggable auth providers for SSH sounds awesome, though I can't think of a particular use for it right now!
by donatj on 3/28/22, 4:19 PM
I'm not sure I fully understand, what's the advantage of getting Caddy involved here versus a fully standalone app?
Given the name I'd at first figured it was an official Caddy project, but that does not seem to be the case.
by achairapart on 3/28/22, 7:42 PM
Speaking of sane defaults, I wonder how many people are aware that Caddy serves dotfiles by default.
by elischleifer on 3/28/22, 9:02 PM
Biggest obstacle to proper SSH usage tends to be the creation and management of people's private keys. The number of times people have to google for instructions for doing this right is insane. Let's get someone working on that.
by foxtrottbravo on 3/28/22, 3:56 PM
First and foremost, congratulations on bringing the project to this stage - I think it's an impressive piece of work.
I am in no way qualified to trample on your parade but two things came to my mind that pinch a personal nerve of mine and I would really like to have alleviated by you or the folks who know that stuff:
- if your Goal was "secure by default", why did you allow passwords in the first place? Following Caddys recipe would be more like SSH-Keys only, wouldn't it? Is there a reason other than compatibility?
- In that same avenue? Why allow such a thing as downloading authorized keys from a third party? Domain takeovers or account compromises on say Github are a thing - so again while it may be a nice usability aspect isn't that contrary to the secure by default pradigm?
Again thank you for your work and congratulations on the project - those above are just honest questions that came to mind which I would really like to be educated on