zlacker

[parent] [thread] 2 comments
1. _Chief+(OP)[view] [source] 2026-02-05 10:02:42
> If the SSH connection is set to disallow passwords and only authorize via SSH keys, how big of a risk is this

low risk, do this. Keys (ed25519,4096 rsa) are impractical to brute force. However I'd also recommend:

- use a different port than 22 (add your .ssh/config for easier UX if needed) - port 22 can get incredibly noisy with tons of bots probing

- disable passwordAuth, disable PermitRootLogin - use a normal user with sudo for your ssh

- consider a vpn please - I use tailscale, but I hear headscale is good - then use UFW to only allow SSH from the tailscale network (I generally allow all network on tailscale). Tailscale wrote a guide on this here [1]

- do not add and forget authorized_keys from machines you arent using

- I'm especially worried about how people keep giving Clawdbot/Openclaw access to all their machines, key auth means the machine is authorized on your server

- For new servers I often just add all my public keys to them (github lists all your keys at github.com/GH_USERNAME.keys

1: https://tailscale.com/docs/how-to/secure-ubuntu-server-with-...

replies(2): >>janmal+83 >>lxgr+2x
2. janmal+83[view] [source] 2026-02-05 10:30:20
>>_Chief+(OP)
Many people keep offering advice to consider a VPN and while VPN is very usefull, I have not yet come accross a reason why not use ssh auth. Like what can actually happen? From my pov the risk of running all sorts of userspace software with internet access is much greater, even without port forwarding.
3. lxgr+2x[view] [source] 2026-02-05 14:26:31
>>_Chief+(OP)
> key auth means the machine is authorized on your server

Not necessarily: Depends on whether your key is passphrase-protected and how your SSH agent is configured (if you use one). You can have the standard OpenSSH one ask you for confirmation of every key usage, for example.

> consider a vpn please

But also consider how you'll fix a broken VPN without SSH access.

[go to top]