On Sat, 2005-12-10 at 16:35, wwp wrote: > Hello Scot, > > > On Tue, 06 Dec 2005 21:15:04 -0500 "Scot L. Harris" <webid@xxxxxxxxxx> wrote: > > Key based authentication is the right way to go. You should disable > > root ssh access completely. > > BTW, is there a way to make ssh allowing root access from a specific > interface (local for instance) and denying it from other ones (external)? I believe that can be done. However I would not recommend that. It is always better to have someone login as themselves then su - or use sudo to get elevated privileges. You then have an audit trail of who used root plus they would have to break a standard user account then the root account. If you go that route it just complicates your setup and if an error is made you could leave root open on an external interface. Much simpler and safer to deny root access completely.
