David L Norris wrote:
On Sat, 2004-07-31 at 00:12 -0700, Michael wrote:Thanks for the tips on seting up remote users and using keys on critical systems.
People seem to be going through great efforts to counter something that
isn't all that uncommon. Sometimes the simplest things are left out of the
discussion. Why hasn't anybody said anything about disableing root logons
via ssh? (isn't this pretty much standard proceedure to public systems?)
Exactly... Don't enable remote login for anyone who doesn't need it.
On all my systems I create a "remote" group and add only those users who are responsible enough to have shell access. Then in /etc/ssh/sshd_config I add the following:
PermitRootLogin no AllowGroups remote
On critical systems I use only SSH keys: PasswordAuthentication no
Many people seem to think that SSH magically makes their systems safe from intrusion. Without requiring keys SSH is as insecure as the least secure service on the machine.
I used SSH only to get into a test machine w/ a crashing X. It seemed extremely easy to get into the other computer. I knew the other passwords to the computer I logged into, but still an easy process. I didn't seem to be a real safe process w/ passwords allowed.
I don't normally use SSH for my own computer systems. Transferring files to one computer to another is more my use for remote machines. SSH might be useful for remote admin, but walking to the other machine is just as easy in a home network.
Thanks!
Jim
