I heard that ssh is kinda of an unnecessary step, since wireguard is already encrypted by default. Even legacy rsh should work fine in that setup. But I'm still not convinced, having double encryption is not a real performance problem in the real world. And I prefer it, just to be safe
SSH can authenticate a user, wireguard (as typically deployed) only authenticates a computer.
SSH can sometimes authenticate intent, like Yubikey touch.
Using wireguard for authentication is a mistake. The category of mistake is usually referred to as ambient authority, often exploited via a confused deputy.
I think you are misunderstanding the use of wireguard here - this is a userspace wireguard connection, so the process has the same permissions as the user executing it.
In one sense, this is no different than adding a public key to ~/ssh/authorized_keys.
If you control the key, you control the authentication.
rsh would fill the same gap for authentication, (or even raw telnet), or anything that integrates with unix users.
What makes SSH different is the encrypting part. The keys were only introduced to be used by the encryption algorithms. Users and multiple identities were a core detail of nixes much before SSH
Ok, I get what you mean rlogin and rsh are not safe because of inumerous legacy problems. But I think you get what I meant as well, authorization problems can be solved without SSH.
I said that even rsh would do because will can ignore all the weird outdated stuff and just login with an user and password, same as a local login. In that case telnet would also work.
However, I truly believe that cryptographic keys are way superior to passwords. And going back to them would be a huge step back
You also need to change the boot behavior of sshd to wait for wireguard (tailscale in my case) to be available. I had to add a couple of lines to the ssh systemd unit.
Yep. And also pay attention during package and system upgrades on some systems. In certain cases it messes up this ordering, and you end up with sshd starting before Wireguard again and then sshd doesn’t find any interface with the specified address, which in turn makes it so that it won’t bind to that address. Making the machine unreachable until you manually fix it again.
A less finnicky approach would be binding to 0.0.0.0, then configuring incoming firewall policy. By default deny, then allow SSH through wireguard network. Or by default allow then deny SSH through public network.
if you want to get fancy and/or over engineered you would use systemd templated units to setup sshd@.service and a ListenAddress in the config listening on %i. Then you could bring up sshd@(expectedip).service for each expected IP
.. but that doesn't gain all that much tbh.if anything the only hesitation I'd have on listening to * and relying on firewall rules is if the service comes up before its configured. but exposing sshd isn't even that bad
I did something like that but somehow after an upgrade I still lost access to one of my systems that I had set up like that. This machine is physically in a different city from me so I rarely have the chance to go there. And lately I’ve even been in another country.
it only takes 3 lines in a systemd override fille (which I think don't suffer the overwrite-on-upgrade problem). To my mind, that keeps the startup logic nicely local in service files.
That’s what I do currently with some of my hosts.