On Fri, Apr 11, 2025 at 07:59:40PM +0000, Andy Smith wrote:

Hi,

On Fri, Apr 11, 2025 at 08:12:14PM +0200, Marc SCHAEFER wrote:

systemd dependancies that are activated on a Debian system imply a lot
of library injections into sshd, much more than the stock OpenBSD ssh.

[...]

What do you think about this approach?

I'd be all for it, actually.

I think you're wasting your time and should not have sshd listen on the public Internet at all, instead VPN in to your network and only have
sshd available on the inside.

You already stated this. I don't think it is right, for two reasons:

- you didn't explain how "a VPN's" mechanism is inherently more
secure than sshd's, given that their mechanisms are all pretty
similar.
- Your category "a VPN" is hopelessly too broad (that's why I
put it in quotes). What do you mean? IPSec? OpenVPN? Wireguard?
CIPE? Some proprietary thing (there are loads of them)?

Since security depends critically on implementation details and
the dedication of the group behind the software, the above is quite
relevant.

So, share your wisdom with us: what makes ssh less secure than
"a VPN"?

Cheers
--
t

-----BEGIN PGP SIGNATURE-----

iFwEABECAB0WIQRp53liolZD6iXhAoIFyCz1etHaRgUCZ/n4+gAKCRAFyCz1etHa RplcAJj6Sh5zrBI/wMnIUAIJRuv0K14JAJ4/nZnMkfika4E5IFnTj4xIsgbIow==
=W1um
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, Apr 12, 2025 at 01:32:06PM +0800, jeremy ardley wrote:

On 12/4/25 13:24, tomas@tuxteam.de wrote:

So, share your wisdom with us: what makes ssh less secure than
"a VPN"?

It's quite simple. If you have a VPN exposed to the internet and an ssh service then you have two attack surfaces in parallel. Breach either one and you breach the system

What if you don't even need the VPN (as is often the case)?

Remember: simplicity usually helps security, because the admin can
understand the system better.

Cheers
--
t

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQRp53liolZD6iXhAoIFyCz1etHaRgUCZ/n9pAAKCRAFyCz1etHa Rj2hAJ9LpThQKdRqpbZFWGTrMCyv8+puFwCdHjYgwYOGqCHU9yPyfRl0vWVFZto=
=f8J3
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hello,

Jumping into your interesting ssh vs VPN discussion:

On Sat, Apr 12, 2025 at 07:24:17AM +0200, tomas@tuxteam.de wrote:

- you didn't explain how "a VPN's" mechanism is inherently more
secure than sshd's, given that their mechanisms are all pretty
similar.

I agree. Especially since the idea here is to create a jump host,
it has all advantages of a VPN (can be on a separate host,
can be handled with firewall rules), much the same.

I am also a fan of VPNs, BTW. Sometimes they are very
useful too. But sometimes, yes, I think they are overblown
compared to a "simple" ssh server. They may however offer
more features in some cases (namely UDP tunnelling and
maybe simpler integrations on non standard OSes like Microsoft,
that I don't use).

- Your category "a VPN" is hopelessly too broad (that's why I
put it in quotes). What do you mean? IPSec? OpenVPN? Wireguard?
CIPE? Some proprietary thing (there are loads of them)?

Yes.

On the subject of attack surfaces, let's talk about OpenVPN:

schaefer@reliant:~$ ldd /usr/sbin/openvpn
linux-vdso.so.1 (0x00007ffedb3b3000)
liblzo2.so.2 => /lib/x86_64-linux-gnu/liblzo2.so.2 (0x00007fa13453a000)
liblz4.so.1 => /lib/x86_64-linux-gnu/liblz4.so.1 (0x00007fa134517000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fa1344f5000)
libpkcs11-helper.so.1 => /lib/x86_64-linux-gnu/libpkcs11-helper.so.1 (0x00007fa1344d6000)
libssl.so.1.1 => /lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007fa134443000)
libcrypto.so.1.1 => /lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007fa13414f000)
libsystemd.so.0 => /lib/x86_64-linux-gnu/libsystemd.so.0 (0x00007fa134098000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fa134092000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fa133ebe000)
/lib64/ld-linux-x86-64.so.2 (0x00007fa13465d000)
librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007fa133eb4000)
liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007fa133e8c000)
libzstd.so.1 => /lib/x86_64-linux-gnu/libzstd.so.1 (0x00007fa133db1000)
libgcrypt.so.20 => /lib/x86_64-linux-gnu/libgcrypt.so.20 (0x00007fa133c8f000)
libgpg-error.so.0 => /lib/x86_64-linux-gnu/libgpg-error.so.0 (0x00007fa133c69000)

It looks a bit narrower than stock sshd on Debian, but you can find the
same "interesting" libs. Also, I wonder if OpenVPN has similar
privilege separation as ssh. They seem to have though about it: https://community.openvpn.net/openvpn/wiki/PrivilegeSeparation
but it does not look as streamlined as SSH (I might be wrong).

NB: however, some recent OpenVPN releases might also run with a kernel
module, which augments the attack surface considerably -- I don't use it
yet, but you might find it necessary for high workloads (stock OpenVPN is 1-core for compression/encryption). SSH is one-process-per-user,
so it should scale better in my workloads.

Wireguard, for example, is mostly kernel-side BTW.

I do not assume those kernel codes are unsafe, I am pretty sure they
have audited them. It just makes the attack surface much bigger.

Since security depends critically on implementation details and
the dedication of the group behind the software, the above is quite
relevant.

Agree.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, Apr 12, 2025 at 09:39:53AM +0200, Marc SCHAEFER wrote:

Hello,

Jumping into your interesting ssh vs VPN discussion:

[...]

Thanks for all those interesting details.

To sum up, I'd concur with Andy in one point: *if* you are running
a VPN anyway, it's better to hide you SSH behind that.

Otherwise, I tend to disagree. I'd expect OpenSSH to be far better
audited...

I do not assume those kernel codes are unsafe, I am pretty sure they
have audited them. It just makes the attack surface much bigger.

... than probably anything else out there (available to mere mortals,
not in NSA'a deep belly or any other mythical beast). Of course, it
gets its share of auditing love by the Bad Actors, too, so there you
are.

Setting up a VPN to "just" protect an SSH access seems like a bad
use of resources to me. Invest those in your SSH daemon's setup (misconfiguration being probably the most widespread source of
security flaws).

But... it's always a bet, since no one of us knows everything.

Cheers
--
t

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQRp53liolZD6iXhAoIFyCz1etHaRgUCZ/ofjgAKCRAFyCz1etHa RgO+AJ9jIQsV5cRq9Zu5qqssqaAuE05IeQCeJU8TF7NAUurzy573MJoQas/jlcg=
=JmCP
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On Sat, Apr 12, 2025 at 09:39:53AM +0200, Marc SCHAEFER wrote:

sometimes, yes, I think [VPNs] are overblown compared to a "simple"
ssh server.

I think that a decent modern VPN solution is much simpler than OpenSSH
and especially when your alternative is recompiling OpenSSH to remove dependencies that you think you don't need.

Wireguard, for example, is mostly kernel-side BTW.

I do not assume those kernel codes are unsafe, I am pretty sure they
have audited them. It just makes the attack surface much bigger.

I am pretty confident that the amount of code that can be reached by
strange packets from the Internet side is going to be a lot smaller with WireGuard.

It's going to be quite difficult to prove either way though, so let's
just agree to disagree.

Thanks,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 4/16/25 03:14, Erwan David wrote:

On Wed, Apr 16, 2025 at 03:16:29AM CEST, Lee <ler762@gmail.com> said:

On Mon, Apr 14, 2025 at 10:27 AM Dan Purgert wrote:

On Apr 14, 2025, Marc SCHAEFER wrote:

I wrote:

If you
sudo systemctl disable cups # and maybe others

Actually, if you follow the discussion, the CUPS Bonjour auto-discovery >>>>
- it presumably handled by the cups-browsed package
(you can uninstall it, or systemctl disable it,
if you don't want printer auto-detection on your
network)

- it could also be handled by mDNS (?)

Yep, 'cups-browsed' is the mDNS listener service (plugin for avahi?) so
that cups can find printers announcing themselves via mDNS.

I'm not sure I understand, but
$ sudo systemctl stop cups.service

$ lp -d Canon_MG3600_series check-for-updates.sh
lp: Bad file descriptor

You stopped cups (ie the whole printing system), not cups-browsed (the mDNS listener to get printers of the local
network announcing themselves by Zeroconf)

Which brings up the fact that if cups-browsed is present, it disables
the factory drivers which run my 2 brother printers flawlessly, every
feature listed on the boxes Just Works,  with the cups flavor of cups
drivers which are grossly broken and have been for a decade or more. I
lose tray choice, color is weak and afu on my color inkjet and my B&W
laser loses duplex and doesn't properly respond to a formfeed.

Cheers, Gene Heskett, CET.

--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
- Louis D. Brandeis

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, Apr 19, 2025 at 05:35:51PM +0000, Andrew M.A. Cater wrote:

[...]

Hi Gene,

This is probably off topic for the subject of the thread above but -

You always claim that stuff is grossly broken: in this instance, CUPS
is probably *not* broken. The problem is that the free drivers - which
are essentially all that Debian can ship - are less functional than the proprietary drivers shipped by Brother.

Exactly. The bug /is/ the proprietary driver. I wouldn't buy such a
printer.

In fact, I've looked at some and decided I don't need a printer. My room
in a shared flat is small, and they all seem to have gone to the dark
side. Not worth the hassle.

From time to time I try to "fix" my flatmate's printer and am reminded
every time (phone home: rly?) why I'm happy without.

The couple of times I need to print something (that very rare snail mail,
for example), I go to that stationery shop, ten minutes bike ride. It's
worth it, and the shop owner is awfully nice to boot.

Cheers
--
t

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQRp53liolZD6iXhAoIFyCz1etHaRgUCaAPlegAKCRAFyCz1etHa RnXmAJ9316U8nIS4Q8tpRICBNR5nw9Jb8ACbBb7hfbLY/BV/zUAvcygyFK+mgcY=
=UWFa
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Apr 18, 2025 at 11:09:06PM -0400, gene heskett wrote:

On 4/16/25 03:14, Erwan David wrote:

On Wed, Apr 16, 2025 at 03:16:29AM CEST, Lee <ler762@gmail.com> said:

On Mon, Apr 14, 2025 at 10:27 AM Dan Purgert wrote:

On Apr 14, 2025, Marc SCHAEFER wrote:

Which brings up the fact that if cups-browsed is present, it disables the factory drivers which run my 2 brother printers flawlessly, every feature listed on the boxes Just Works,  with the cups flavor of cups drivers which are grossly broken and have been for a decade or more. I lose tray choice, color is weak and afu on my color inkjet and my B&W laser loses duplex and doesn't properly respond to a formfeed.

Hi Gene,

This is probably off topic for the subject of the thread above but -

You always claim that stuff is grossly broken: in this instance, CUPS
is probably *not* broken. The problem is that the free drivers - which
are essentially all that Debian can ship - are less functional than the proprietary drivers shipped by Brother. You have a Brother printer, you
have the choice of which drivers to install. [And never forget, it was
the problem of printing and non-free drivers that led Stallman to found
the Free Software Foundation - printers are getting better but almost all contain non-free secret sauce].

If you think that Debian isn't doing enough, ask Brother if they can
free the propriatary drivers / help Debian developers work out *exactly*
what's missing, or whatever, but maybe *do* something rather than always complaining that other people aren't doing enough? Even if you get
nothing much useful back from Brother, at least they will be aware that
there continues to be a user need for better free drivers and that Debian
users are paying for and using their printers rather than those from another printer manufacturer so it's worth their continuing to support Linux.

All the very best, as ever,

Andy
(amacater@debian.org)

Cheers, Gene Heskett, CET.

--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
- Louis D. Brandeis

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)