Securing SSH access

Lonnie Olson lists at kittypee.com
Wed Apr 2 16:26:01 MDT 2008


Doran L. Barton wrote:
> If you can get away with it, disable password authentication in sshd_config
> (the 'PasswordAuthentication' directive) and require DSA (or RSA) keys. 
> 
> If you must allow password authentication, first make sure you do not allow
> the root user to log in via SSH. This is controlled via the
> 'PermitRootLogin' directive in sshd_config. 

Don't forget when preventing password authentication to also disable the 
Challenge-Response mechanism as well.  There are two ways to accomplish 
this completely.

	PasswordAuthentication no
	ChallengeResponseAuthentication no

or just disable access to PAM altogether

	UsePAM no

Also PermitRootLogin accepts some other really cool options besides yes 
and no.
* without-password
   forces key only auth for root
* forced-commands-only
   only allow root when a command is forced in the authorized_keys file.

Really useful stuff.

--lonnie



More information about the PLUG mailing list