Skip to content

Update README.md#153

Open
tartaruslovesnoodles wants to merge 1 commit intodecalage2:masterfrom
tartaruslovesnoodles:patch-1
Open

Update README.md#153
tartaruslovesnoodles wants to merge 1 commit intodecalage2:masterfrom
tartaruslovesnoodles:patch-1

Conversation

@tartaruslovesnoodles
Copy link
Copy Markdown

@tartaruslovesnoodles tartaruslovesnoodles commented Apr 10, 2026

Hello, I spotted some errors in your advising for SSH. I'll list what I noted below.

These 3 sources referenced for SSH security no longer exist or may have been entered incorrectly.
https://www.ssi.gouv.fr/en/guide/openssh-secure-use-recommendations/
https://www.sshaudit.com/hardening_guides.html
https://bettercrypto.org/

These sources listed below are deprecated by modern standards and contain 'expired' time bound advice.
https://goteleport.com/blog/how-to-ssh-properly/

  • TOTP apps, while still used, are growing obsolete to hardware keys and push-bashed mfa.
  • RSA keys are no longer the modern standard. This should be ssh-keygen -t ed25519.
  • This article suggests extremely long lived certs, ie 1 year certs. This is far too long.
  • While manual CA management is still something I'm personally not opposed to if it is done well, the article fails to mention vaults and the security tradeoffs many devs prefer with them, opposed to manual.
  • If you use a bastion host, then you either need to run it through a proxy or have a backup bastion server that is also whitelisted.
  • Overall this article contains out of date advice and subpar practices. It is also redundant when paired with what you've already provided for SSH, providing no new information. Given all that, I'd suggest removing this article from the SSH section.

I considered adding additional sources or perhaps briefly explaining and pointing sources to cryptography concerning SSH, but the sources you listed are rather robust and should have all the info anyway. Though I'd recommend maybe describing or summarizing these documents as well. People pick up a lot more on what they read if they go in with a general idea, which really only needs to be like 100 to 1000 words.

@tartaruslovesnoodles
Update README.md
e1ee709 
Removed 4 sources from SSH: 3 no longer exist, one redirects to a new link, https://goteleport.com/blog/how-to-ssh-properly/, and contains deprecated cybersecurity advice. 

Specific issues with https://goteleport.com/blog/how-to-ssh-properly/:
 - TOTP apps, while still used, are growing obsolete to hardware keys and push-bashed mfa.
 - RSA keys are no longer the modern standard. This should be ssh-keygen -t ed25519.
 - This article suggests extremely long lived certs, ie 1 year certs. This is far too long.
 - While manual CA management is still something I'm personally not opposed to if it is done well, the article fails to mention vaults and the security tradeoffs many devs prefer with them, opposed to manual.
 - If you use a bastion host, then you either need to run it through a proxy or have a backup bastion server that is also whitelisted.
 - Overall this article contains out of date advice and subpar practices. It is also redundant when paired with what you've already provided for SSH, providing no new information. Given all that, I'd suggest removing this article from the SSH section.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tartaruslovesnoodles