Tuesday, August 17, 2021

Things wrong with OpenSSH

What is SSH?

I don't need to introduce it. Let's be honest, every "modern day" UNIX user knows about SSH. It was basically a security extension to RSH by the OpenBSD people. A user only ever uses SSH to spawn a shell remotely and administrate that particular system.

Though, as we know, every project only ever becomes unnecessarily complex and complicated as time passes; it's like a exponential function of time.

What is wrong with it?

  1. People have hard time setting it up.
  2. It violates the UNIX philosophy.

Why does it violate the UNIX philosophy? Because it does:

  • X11 forwarding (why not consider Wayland?)
  • Port forwarding
  • Tunneling
  • SFTP
  • SSHFS
all of which should be out of its scope.

X11 forwarding can be done without SSH by just setting the DISPLAY variable. This security feature should be in X.org (yes, it's the only implementation of X11) and not in SSH.

Port forwarding (NAT) is done with special kernel level subsystems like netfilter and iptables (Linux) or eBPF or PF in Linux and OpenBSD. It is a low-level I/O job dealt with accounting for flexibility and latency, thus kernel-to-user and user-to-kernel operations induce more CPU and memory usage whereas the kernel would just move the pages around.

Tunneling, solved problem. OpenVPN, IPSec, IKEv2 exist and specialized for the purpose.

SFTP, again; a solved problem. It is solved by FTPS, which uses SSL ensuring backwards compatibility with existing FTP infrastructure.

SSHFS. SSH only ever solves solved problems. NFSv4 mandates security, SAMBA has too, other sophisticated solutions might exist too.

But why are you writing this?

To dump what I've collected and compiled in my mind, I don't really care if anyone reads this or not. Also, there are absolutely no articles criticizing it so someone had it do it.

I'm not a UNIX purist but it's to make you purists (yes, you) aware of this.

What should I use now?

Talking about alternatives, I didn't see any except RSH. If you know put that in the comments.

Other resources on this

  1. http://harmful.cat-v.org/software/ssh 



at
Labels: , , , , ,

1 comment:

  1. tripulsiveAugust 18, 2021 at 4:20 PM

    Secure Shell Hell, is what I'd like to call it because its a hell of mess.

    ReplyDelete

Subscribe to: Post Comments (Atom)