So this is effectively like ProxyJump, just with the jump node exposed over SSL ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		aflukasz on July 1, 2024 \| parent \| context \| favorite \| on: RegreSSHion: RCE in OpenSSH's server, on glibc-bas... So this is effectively like ProxyJump, just with the jump node exposed over SSL and backed by HAProxy binary instead of OpenSSH? What benefits do you see? I mean, you still expose some binary that implements authentication and authorization using cryptography. I think that even RBAC scenarios described in the link above should be achievable with OpenSSH, right?

betaby on July 2, 2024 [–]

It's not about RBAC at all. Goal is not to expose ssh socket to the Internet! ssh tcp is encapsulated in https packet and ONLY after successful certificate auth by HAProxy.

aflukasz on July 6, 2024 | [–]

Right, but now your are exposing HA proxy socket to the Internet. Why is that better?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact