Caveats & common uses of ssh over public Internet

What the caveats & risks of doing ssh over internet esp without
VPN?  Isn't it quite safe as ssh is encrypted?  Someone just told
me nobody practises ssh via public Internet

What are the common uses of ssh over public Internet (with
keys exchange or password authentication)?  Setting up an
ssh tunnel?  or for psftp or pscp?

I suppose instead of ssh, people uses https or ??
But with https, we'll need certificates while with ssh,
I don't need any
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rich RumbleSecurity SamuraiCommented:
The principals of SSH are the exact same as HTTPS, public-key-cryptography. httpS uses a trusted root and signatory, but can also function well with "self-signed" certificates. SSH is more self-signed (keys), there is no centralized public trust model like with SSL/TLS.
SSH, SCP, SFTP all based on SSL and TLS. PSCP and PSFTP is the same as (unix)SCP and SFTP, they are just Putty's version of it. Both work interchangeably, because they are the same.

SSH is extremely secure and trustworthy, if you can verify the signatures or trust the ones you're receiving. SSH is a tunneling protocol, so it makes the connection, and you send the data you need through an encrypted connection, just like httpS.

SSH is used by every vendor I've encountered, so whomever told you no one uses it over the public internet, has no clue how 99% of the internet remotely administers non-windows gear :) It's the default login protocol for all network equipment, and most linux host's. It's pretty popular.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Maybe the person you were talking to said that nobody runs that ancient SSH server software with the unpatched CRC exploit like shown in the Matrix Reloaded movie from like 2003?  Could be a situation where the fuzzy memories of an older IT manager start to break down 10 years on and he is trying to stay relevant.  

You can use SFTP to send positive pay check ledgers over the public internet to Bank of America so it is probably good enough for your company....  Especially SFTP since you can't set up an SFTP server that has no shell access at all... none zero zilch.
sunhuxAuthor Commented:
That person interviewed me & just simply wanted to fail me
in the interview.  He's supposed to be a very experienced
security person.

As interview question, he asked me:
What are the mitigation measures I can put in place for
ssh in the event the sysadmin who supports the ssh
left the company.

I replied that we ought to put in place two factor (or multiple
factor authentication) such as ACE token (the little dongle/
card with changing numbers that staff ought to return to the
company when he leaves the employment) or use ssh with
password authentication & change the password when the
staff leaves.

He told me the best answer is "physical security" ie deny
the staff who left entry into the company's premises:
I told him what if the ssh is used over the internet & he
sneered: is there anyone who uses ssh over the public

I just realized he has taken me for a ride.

He also asked why is there a need to do regular vulnerability
scan? I replied there are new vulnerabilities being uncovered
& the scan tool will be updated.  Besides, there are changes
to the systems (eg: sysadmin or apps team install new
things on the systems or make system changes) & the
interviewer replied : the most accurate answer is this is
to give the team sufficient time to address the vulnerabilities
before an actual audit took place: well everyone knows we
need time to fix the vulnerabilities.  

That fellow just don't want an old person like me to join
his team ..... sad that in my culture here, discrimination
against aging people is rampant.
Rich RumbleSecurity SamuraiCommented:
Those are kinda/sorta answers (his) but flawed in their presentation. Everyone uses SSH over the internet, maybe he meant telnet, no one should use telnet :)
Your answer for vuln/pen-test scan's is more accurate than his/hers.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSH / Telnet Software

From novice to tech pro — start learning today.