None of that is required here? Etcha can be exposed on the Internet with a smaller risk profile than SSH:
- Sane, secure defaults
- HTTP-based--no fingerprinting, requires the correct path (which can be another secret), plays nicely with reverse proxies and forwarders (no need for jump boxes)
- Rate limited by default
- Only works with PKI auth
- Clients verify/validate HTTPS certificates, no need for SSHFP records.
- Sane, secure defaults
- HTTP-based--no fingerprinting, requires the correct path (which can be another secret), plays nicely with reverse proxies and forwarders (no need for jump boxes)
- Rate limited by default
- Only works with PKI auth
- Clients verify/validate HTTPS certificates, no need for SSHFP records.