Donald Tripp wrote: > But think of it this way: you see all those log files with people trying > to GUESS usernames: fred, mary, joe, jane.... wouldn't it be better to > NOT allow root access so they MUST guess your username as well as key, > and password? Three phase authentication is always better than two! > It is even better not to allow password login at all. If you use key pairs for authorization, then they have first get your private key, then guess your pass phrase for the key. If they manage that, then they can try to guess the root password, or a local exploit that will let them become root... (If they know enough to get your private key, I figure they already know the user name...) Mikkel -- Do not meddle in the affairs of dragons, for thou art crunchy and taste good with Ketchup!
