Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What does this bring over binding sshd to the Wireguard interface address?

That’s what I do currently with some of my hosts.



I heard that ssh is kinda of an unnecessary step, since wireguard is already encrypted by default. Even legacy rsh should work fine in that setup. But I'm still not convinced, having double encryption is not a real performance problem in the real world. And I prefer it, just to be safe


SSH can authenticate a user, wireguard (as typically deployed) only authenticates a computer.

SSH can sometimes authenticate intent, like Yubikey touch.

Using wireguard for authentication is a mistake. The category of mistake is usually referred to as ambient authority, often exploited via a confused deputy.


I think you are misunderstanding the use of wireguard here - this is a userspace wireguard connection, so the process has the same permissions as the user executing it.

In one sense, this is no different than adding a public key to ~/ssh/authorized_keys.

If you control the key, you control the authentication.


In the case of the project linked, yes. I'm responding to the comment that said

> I heard that ssh is kinda of an unnecessary step


rsh would fill the same gap for authentication, (or even raw telnet), or anything that integrates with unix users.

What makes SSH different is the encrypting part. The keys were only introduced to be used by the encryption algorithms. Users and multiple identities were a core detail of nixes much before SSH


rsh relies on the client host to not lie, that's quite a different level of guarantee than touching a Yubikey.


Ok, I get what you mean rlogin and rsh are not safe because of inumerous legacy problems. But I think you get what I meant as well, authorization problems can be solved without SSH.

I said that even rsh would do because will can ignore all the weird outdated stuff and just login with an user and password, same as a local login. In that case telnet would also work.

However, I truly believe that cryptographic keys are way superior to passwords. And going back to them would be a huge step back


Is there a small writeup available somewhere about this? I like the idea.


I guess you just need to configure `ListenAddress` in your `/etc/ssh/sshd_config` properly (see `man sshd_config`).


You also need to change the boot behavior of sshd to wait for wireguard (tailscale in my case) to be available. I had to add a couple of lines to the ssh systemd unit.


Yep. And also pay attention during package and system upgrades on some systems. In certain cases it messes up this ordering, and you end up with sshd starting before Wireguard again and then sshd doesn’t find any interface with the specified address, which in turn makes it so that it won’t bind to that address. Making the machine unreachable until you manually fix it again.


A less finnicky approach would be binding to 0.0.0.0, then configuring incoming firewall policy. By default deny, then allow SSH through wireguard network. Or by default allow then deny SSH through public network.


I like that idea a lot. I may start doing that.


if you want to get fancy and/or over engineered you would use systemd templated units to setup sshd@.service and a ListenAddress in the config listening on %i. Then you could bring up sshd@(expectedip).service for each expected IP

.. but that doesn't gain all that much tbh.if anything the only hesitation I'd have on listening to * and relying on firewall rules is if the service comes up before its configured. but exposing sshd isn't even that bad


You can create an override file for sshd to avoid issues due to package config changes.

https://www.freedesktop.org/software/systemd/man/latest/syst...


I did something like that but somehow after an upgrade I still lost access to one of my systems that I had set up like that. This machine is physically in a different city from me so I rarely have the chance to go there. And lately I’ve even been in another country.


Yeah I would do it with nftables so you don't have to change the sshd listen address.


Why don't you just add sshd restart as an interface PostUp step in the client's wireguard config file?


it only takes 3 lines in a systemd override fille (which I think don't suffer the overwrite-on-upgrade problem). To my mind, that keeps the startup logic nicely local in service files.


So allow sshd to start in a failed mode and then restart it?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: