Part of a system's security is to reduce the attack surface. Following this principle,
I want to see if I can switch from using regular salt minions for a saltstack managed
system set towards
salt-ssh. This would allow to do some system management over SSH
instead of ZeroMQ.
I'm not confident yet that this is a solid approach to take (as performance is also
important, which is greatly reduced with
salt-ssh), and the security exposure of the
salt minions over ZeroMQ is also not that insecure (especially not when a local firewall
ensures that only connections from the salt master are allowed). But playing doesn't hurt.