> Can you even imagine pypi or npm compromising ssh this way? Is ssh somehow sacrosanct in a wa...

k_roy • today at 5:02 AM • 1 reply • view on HN

> Can you even imagine pypi or npm compromising ssh this way?

Is ssh somehow sacrosanct in a way that any other RCE or credential stealing attack is different?

I don’t even know the last time I exposed ssh to the open internet.

But the fact with npm or pypi you can be exploited just by running the software you’ve already installed because the dependencies are everywhere on your system?

Replies

lmm • today at 5:20 AM

> Is ssh somehow sacrosanct in a way that any other RCE or credential stealing attack is different?

I see ssh as a very fundamental part of the system - in BSD terms it's in base not ports. Random packages from npm or pypi, sure, if you installed some slop off the internet and got exploited that's not so surprising. (Even those package managers themselves are not part of the base system, much less anything you install with them). But ssh should be safe!

alt Hacker News

Replies