Hacker News new | past | comments | ask | show | jobs | submit login

> SSH agent forwarding should be disabled.

> SSH should not be exposed to the general internet.

> If you need to copy files between machines, use rsync rather than scp.

Great. Just great. I still remember when SSH was described as the solution to fix telnet and rcp. And now we can't use it any more. Fan-freaking tastic.

SSH is fine :) But agent forwarding is the biggest footgun imaginable, and scp sadly has design flaws some of which it literally inherited verbatim from rcp.

But using SSH as a shell is fine. And rewiring your fingers to type rsync rather than scp isn't too bad either - plus you get resumption etc for free :) (And yes, I appreciate the parent is being slightly tongue in cheek).

Edit: of course, if we'd been using xrsh and xrcp from XNS rather than this newfangled TCP/IP stuff none of this would probably ever have happened...

Sorry for my snarky tone. I'm dealing with an intrusion of my own right now and your writeup was actually quite helpful, so thanks for doing it.

gah, sorry to hear that - good luck!

How does using rsync instead of scp help? Isn't the default behavior of rsync to use SSH for transport, just like ssh does? Thus you'd still rely on forwarding keys or another ssh authentication method.

The suggestion is to use rsync rather than scp, not ssh (which as you rightly say is the default transport for rsync).

SCP is a protocol layered on SSH, and has had a spate of security flaws recently:

* Incorrect validation of the SCP client directory name (CVE-2018-20685)

* The SCP client did not receive the validation of the name of the received object (CVE-2019-6111)

* Counterfeit client SCP through object name (CVE-2019-6109)

* SCP Client spoofing using stderr (CVE-2019-6110)

And as of 8.0, OpenSSH recommends you no longer use SCP in favour of sftp or rsync, as per the security paragraph of https://www.openssh.com/txt/release-8.0:

> The scp protocol is outdated, inflexible and not readily fixed. We recommend the use of more modern protocols like sftp and rsync for file transfer instead.

Ah, I wasn't familiar with the security problems in the SCP protocol. Thanks. I had misread the recommendation on the blog post as " SSH agent forwarding is insecure, so use rsync instead of SCP", which didn't make sense.

Not to mention that rsync is a much better tool than scp in almost all respects (the only advantage scp has is that it works on all OpenSSH servers, while rsync requires you to have rsync installed on the remote end).

Is SSH fine..?

mosh dev and users think no.

what sort of thing are they worried about?

I don't know if they'd describe it as "worry", but take a look!¹

>We think that Mosh's conservative design means that its attack surface compares favorably with more-complicated systems like OpenSSL and OpenSSH. Mosh's track record has so far borne this out. Ultimately, however, only time will tell when the first serious security vulnerability is discovered in Mosh—either because it was there all along or because it was added inadvertently in development. OpenSSH and OpenSSL have had more vulnerabilities, but they have also been released longer and are more prevalent.

> In one concrete respect, the Mosh protocol is more secure than SSH's: SSH relies on unauthenticated TCP to carry the contents of the secure stream. That means that an attacker can end an SSH connection with a single phony "RST" segment. By contrast, Mosh applies its security at a different layer (authenticating every datagram), so an attacker cannot end a Mosh session unless the attacker can continuously prevent packets from reaching the other side. A transient attacker can cause only a transient user-visible outage; once the attacker goes away, Mosh will resume the session.

> However, in typical usage, Mosh relies on SSH to exchange keys at the beginning of a session, so Mosh will inherit the weaknesses of SSH—at least insofar as they affect the brief SSH session that is used to set up a long-running Mosh session.


Eh, I think your misunderstood this. There are still no alternatives to SSH. And if you want to expose something to an open internet, SSH is way better than telnet and rcp.

In particular, rsync command that they are talking about is still using SSH as an underlying transport.


from mosh.org

> Mosh doesn't listen on network ports or authenticate users. The mosh client logs in to the server via SSH, and users present the same credentials (e.g., password, public key) as before.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact