A critical vulnerability (CVE-2025-32433) exists in Erlang/OTP's SSH implementation, affecting versions prior to 26.2.1 and 25.3.2.6. This flaw allows unauthenticated remote attackers to execute arbitrary code on the server. Specifically, a specially crafted SSH message can trigger the vulnerability during the initial handshake, before authentication occurs, enabling complete system compromise. Users are urged to update their Erlang/OTP installations to the latest patched versions as soon as possible.
The order of files within /etc/ssh/sshd_config.d/ directly impacts how OpenSSH's sshd daemon interprets its configuration. The daemon reads files alphabetically, applying settings sequentially. This means later files can override earlier ones, leading to unexpected behavior if not carefully managed. A common example is setting PasswordAuthentication no in a later file, negating an earlier file's Match block intended to allow password logins for specific users or groups. Therefore, understanding and controlling file order in this directory is crucial for predictable and reliable SSH configuration.
Hacker News users discuss the implications of sshd_config.d file ordering, mostly agreeing it's a surprising but important detail. Several commenters highlight the potential for misconfigurations and debugging difficulties due to this behavior. One user shares a personal anecdote of troubleshooting an issue caused by this very problem, emphasizing the practical impact. Others point out the lack of clear documentation on this behavior in the man pages, suggesting it's a common pitfall. The discussion also touches upon alternative configuration approaches, like using a single file or employing tools like Puppet or Ansible to manage configurations more predictably. Some users express surprise that later files override earlier ones, contrary to their expectations. The overall sentiment reinforces the importance of awareness and careful management of sshd configuration files.
Pico.sh offers developers instant, SSH-accessible Linux containers, pre-configured with popular development tools and languages. These containers act as personal servers, allowing developers to run web apps, databases, and background tasks without complex server management. Pico emphasizes simplicity and speed, providing a web-based terminal for direct access, custom domains, and built-in tools like Git, Docker, and various programming language runtimes. They aim to streamline the development workflow by eliminating the need for local setup and providing a consistent environment accessible from anywhere.
HN commenters generally expressed interest in Pico.sh, praising its simplicity and potential for streamlining development workflows. Several users appreciated the focus on SSH, viewing it as a secure and familiar access method. Some questioned the pricing model's long-term viability and compared it to similar services like Fly.io and Railway. The reliance on Tailscale for networking was both lauded for its ease of use and questioned for its potential limitations. A few commenters expressed concern about vendor lock-in, while others saw the open-source nature of the platform as mitigating that risk. The project's early stage was acknowledged, with some anticipating future features and improvements.
Cloudflare has open-sourced OPKSSH, a tool that integrates single sign-on (SSO) with SSH, eliminating the need for managing individual SSH keys. OPKSSH achieves this by leveraging OpenID Connect (OIDC) and issuing short-lived SSH certificates signed by a central Certificate Authority (CA). This allows users to authenticate with their existing SSO credentials, simplifying access management and improving security by eliminating static, long-lived SSH keys. The project aims to standardize SSH certificate issuance and validation through a simple, open protocol, contributing to a more secure and user-friendly SSH experience.
HN commenters generally express interest in OpenPubkey but also significant skepticism and concerns. Several raise security implications around trusting a third party for SSH access and the potential for vendor lock-in. Some question the actual benefits over existing solutions like SSH certificates, agent forwarding, or using configuration management tools. Others see potential value in simplifying SSH key management, particularly for less technical users or in specific scenarios like ephemeral cloud instances. There's discussion around key discovery, revocation speed, and the complexities of supporting different identity providers. The closed-source nature of the server-side component is a common concern, limiting self-hosting options and requiring trust in Cloudflare. Several users also mention existing open-source projects with similar goals and question the need for another solution.
The PuTTY iconography uses a stylized computer terminal displaying a kawaii face, representing the software's friendly nature despite its powerful functionality. The different icons distinguish PuTTY's various tools through color and added imagery. For instance, PSCP (secure copy) features a document with a downward arrow, while PSFTP (secure file transfer protocol) shows a pair of opposing arrows, symbolizing bi-directional transfer. The colors roughly correspond to the traffic light system, with green for connection tools (PuTTY, Plink), amber for file transfer tools (PSCP, PSFTP), and red for key generation (PuTTYgen). The overall design prioritizes simplicity and memorability over strict adherence to real-world terminal appearances or symbolic representation.
Hacker News users discuss Simon Tatham's blog post explaining the iconography of PuTTY's various tools. Several commenters express appreciation for Tatham's clear and detailed explanations, finding the rationale behind the choices both interesting and amusing. Some discuss alternative iconography they've encountered or imagined, while others praise Tatham's software and development style more generally, citing his focus on simplicity and functionality. A few users share anecdotes of misinterpreting the icons in the past, highlighting the effectiveness of Tatham's explanations in clarifying their meaning. The overall sentiment reflects admiration for Tatham's meticulous approach to software design, even down to the smallest details like icon choices.
XPipe is a command-line tool designed to simplify and streamline connections to various remote environments like SSH servers, Docker containers, Kubernetes clusters, and virtual machines. It acts as a central hub, allowing users to define and manage connections with descriptive names and easily switch between them using simple commands. XPipe aims to improve workflow efficiency by reducing the need for complex commands and remembering connection details, offering features like automatic port forwarding, SSH agent forwarding, and seamless integration with existing SSH configurations. This effectively provides a unified interface for interacting with diverse environments, boosting productivity for developers and system administrators.
Hacker News users generally expressed interest in XPipe, praising its potential for streamlining complex workflows involving various connection types. Several commenters appreciated the consolidated approach to managing different access methods, finding value in a single tool for SSH, Docker, Kubernetes, and VMs. Some questioned its advantages over existing solutions like sshuttle, while others raised concerns about security implications, particularly around storing credentials. The discussion also touched upon the project's open-source nature and potential integration with tools like Tailscale. A few users requested clarification on specific features, such as container access and the handling of jump hosts.
Bcvi allows running a full-screen vi editor session over a limited bandwidth or high-latency connection, such as a serial console or SSH connection with significant lag. It achieves this by using a "back-channel" to send screen updates efficiently. Instead of redrawing the entire screen for every change, bcvi only transmits the differences, leading to a significantly more responsive experience. This makes editing files remotely over constrained connections practical, providing a near-native vi experience even with limited bandwidth. The back-channel can be another SSH connection or even a separate serial port, providing flexibility in setup.
Hacker News users discuss the cleverness and potential uses of bcvi, particularly for embedded systems debugging. Some express admiration for the ingenuity of using the back channel for editing, highlighting its usefulness when other methods are unavailable. Others question the practicality due to potential slowness and limitations, suggesting alternatives like ed. A few commenters reminisce about using similar techniques in the past, emphasizing the historical context of this approach within resource-constrained environments. Some discuss potential security implications, pointing out that the back channel could be vulnerable to manipulation. Overall, the comments appreciate the technical ingenuity while acknowledging the niche appeal of bcvi.
VS Code's remote SSH functionality can lead to unexpected and frustrating behavior due to its complex key management. The editor automatically adds keys to its internal SSH agent, potentially including keys you didn't intend to use for a particular connection. This often results in authentication failures, especially when using multiple keys for different servers. Even manually removing keys from the agent within VS Code doesn't reliably solve the issue because the editor might re-add them. The blog post recommends disabling VS Code's agent and using the system SSH agent instead for more predictable and manageable SSH connections.
HN users generally agree that VS Code's remote SSH behavior is confusing and frustrating. Several commenters point out that the "agent forwarding" option doesn't work as expected, leading to issues with key-based authentication. Some suggest the core problem stems from VS Code's reliance on its own SSH implementation instead of leveraging the system's SSH, causing conflicts and unexpected behavior. Workarounds like using the Remote - SSH: Kill VS Code Server on Host... command or configuring VS Code to use the system SSH are mentioned, along with the observation that the VS Code team seems aware of the issues and is working on improvements. A few commenters share similar struggles with other IDEs and remote development tools, suggesting this isn't unique to VS Code.
Summary of Comments ( 11 )
https://news.ycombinator.com/item?id=43716526
Hacker News users discuss the severity and impact of the Erlang/OTP SSH vulnerability. Some highlight the potential for widespread exploitation given Erlang's usage in telecom infrastructure and distributed systems. Several commenters question the assigned CVSS score of 9.8, finding it surprisingly high for a vulnerability that requires non-default configuration (specifically enabling password authentication). The discussion also touches on the practical implications of the vulnerability, acknowledging that while serious, exploitation might be limited by the need for open SSH ports and enabled password logins. Others express concern about the potential for nested exploitation, as vulnerable Erlang systems might host other exploitable services. Finally, some users note the responsible disclosure and patching process.
The Hacker News post titled "Unauthenticated Remote Code Execution in Erlang/OTP SSH" (https://news.ycombinator.com/item?id=43716526) has several comments discussing the vulnerability (CVE-2025-32433).
Several commenters highlight the severity of the vulnerability, being an unauthenticated remote code execution flaw. One user points out the particularly dangerous combination of this being a pre-auth vulnerability and Erlang's frequent use in distributed systems, increasing the potential attack surface. They mention that distributed Erlang systems often run with minimal firewalling, making them easier targets.
Another commenter notes that exploitation is straightforward, quoting the NIST advisory that "Successful exploitation of this vulnerability requires only sending a crafted SSH message." This emphasizes the low barrier to entry for potential attackers.
Discussion also revolves around the practical impact. One user questions how many publicly exposed Erlang SSH servers exist, suggesting that while serious, the impact might be limited depending on the prevalence of such deployments. This prompts another commenter to mention that while direct SSH access to Erlang nodes might be less common, many systems likely use distributed Erlang for backend communication, which could be vulnerable.
A commenter with experience in securing Erlang systems suggests that the vulnerability reinforces the importance of employing robust network security measures, like firewalls and VPNs, even within internal networks. They highlight that assuming internal networks are safe is a dangerous misconception.
There's some discussion of the technical details. One user dives deeper into the mechanism of the vulnerability, explaining that it arises from the way the
ssh_packet_set_size/1function handles size limits before authentication, allowing malicious actors to bypass checks and execute arbitrary code.Finally, several commenters express concern about the vulnerability's potential to affect critical infrastructure and industrial control systems, given Erlang's presence in those sectors. One user speculates about the potential for this vulnerability to be exploited in targeted attacks.