Securing SSH access
Lonnie Olson
lists at kittypee.com
Wed Apr 2 16:26:01 MDT 2008
Doran L. Barton wrote:
> If you can get away with it, disable password authentication in sshd_config
> (the 'PasswordAuthentication' directive) and require DSA (or RSA) keys.
>
> If you must allow password authentication, first make sure you do not allow
> the root user to log in via SSH. This is controlled via the
> 'PermitRootLogin' directive in sshd_config.
Don't forget when preventing password authentication to also disable the
Challenge-Response mechanism as well. There are two ways to accomplish
this completely.
PasswordAuthentication no
ChallengeResponseAuthentication no
or just disable access to PAM altogether
UsePAM no
Also PermitRootLogin accepts some other really cool options besides yes
and no.
* without-password
forces key only auth for root
* forced-commands-only
only allow root when a command is forced in the authorized_keys file.
Really useful stuff.
--lonnie
More information about the PLUG
mailing list