> On 04 Sep 2025, at 18:48, Gert Doering <gert at greenie.muc.de>
wrote:
> 
> Hi,
> 
> On Thu, Sep 04, 2025 at 02:46:22PM +0000, Rene Malmgren wrote:
>> Would you put 1000 BTC on a system and have OpenSSH as a frontline
software to protect it?
> 
> I would not put 1000 BTC on a system that is accessible via any means
> from the Internet.  This is how real men do "security".
Yeah that  one? the only secure computer, is one buried in a 100feet thick and
deep steel enforced concrete container with no network en electricity supply?
and even then I?ll have my doubts ;)
I do believe the only fail safe firewall is the side-cutter applied to both the
network en power cables.> 
> But if I had to, OpenSSH would be the least of my worries.  I guess I'd
> ensure that only pubkey auth is possible, that there is a firewall in 
> the way that only allows specific subnets that I trust, etc. - but that
> is general good hygiene.  Reduce blast radius.  Bugs happen.
Even subnets can?t be ?trusted? once you?ve traversed an untrusted network?
which makes for an interesting thing I can now do with IPv6? I have typically
64bits to use for a hash/mac to communicate with 0_o thanks that is an
interesting  toy R&D
> Like, kernel bugs that are exploitable remotely... so, "do not put
things
> on the Internet".
I?ll add that I?ll also NOT use a public Linux Distro, but OpenBSD that was 
audited (Somebody once said: Trust, but verify) the the borders too..
> 
> gert 
> -- 
> "If was one thing all people took for granted, was conviction that if
you
> feed honest figures into a computer, honest figures come out. Never doubted
> it myself till I met a computer with a sense of humor."
>                             Robert A. Heinlein, The Moon is a Harsh
Mistress
> 
> Gert Doering - Munich, Germany                             gert at
greenie.muc.de
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev