Is it safe to SSH into a server while on a public VPN?

Question

If my computer is on a public VPN (think something like NordVPN), is it safe to SSH into a server? I' getting the warning, The authenticity of host 'FOO.BAR' can't be established. Are you sure you want to continue connecting (yes/no/[fingerprint])?, and I'm wondering if it's related and/or if I can safely ignore it.

Answer 1

It should be OK.

The message you get is normal, if you connect the first time and didn't import the fingerprint of the server to your client. For each server, the fingerprint is stored in ~/.ssh/known_hosts on the client. If you connect to the server, ssh compares the saved fingerprint with the actual fingerprint from the server.

The fingerprint is calculated from the public key of the server. See https://superuser.com/questions/421997/what-is-a-ssh-key-fingerprint-and-how-is-it-generated

If you get a different fingerprint from the server, something is fishy and you should be cautious.

But if you connect for the first time, there is no fingerprint and ssh ask you, if this is the correct server. This is called trust on first use or TOFU.

SSH is designed to enable secure connections through insecure networks. The insecure network is normally the internet but could also be a VPN. So a ssh connection through your VPN is as secure as connecting through the internet.

There are some problems with exposing an ssh server to the internet. There are a lot of scans on the default port and automatic attempts to bruteforce the login credentials or exploit old ssh versions. Therefore you should

• Use a nonstandard port
• Disable root access and login with a normal user, than chroot
• Use private keys instead of passwords
• Use fail2ban or other automated tools to block attacks