logoalt Hacker News

cevntoday at 3:50 AM1 replyview on HN

Good point. I self host headscale but it also has the ssh feature, probably also insecure.


Replies

OJFordtoday at 6:39 AM

Not necessarily, it's a clean room implementation. Even if leading dashes was known/documented/tested to implement they might have done it differently. And maybe it was an implementation detail that it was ever allowed, but that's a weird username, headscale implementation happened not to allow it, and nobody ever noticed the discrepancy.