Ridding myself of root passwords?
torriem at gmail.com
Mon Feb 3 12:08:38 MST 2014
On 02/03/2014 11:52 AM, S. Dale Morrey wrote:
> I misunderstood the without-password to mean they can login without a
> Guess that makes more sense. I can't imagine a situation except for
> possibly embedded and not connected to the internet that you would want
> root to login without a password.
I configured my VPS to disallow ssh password logins for _all_ users,
including root, except from specific IP addresses. Combine that with a
fail2ban script, and I don't have any problems with brute-force ssh
attacks anymore. I don't bother with moving my sshd to a different
port, or port-knocking.
Also I have started putting passwords on all my important ssh keys
(encrypts the keys), just for added safety in case a key file gets
lifted off my computer somehow. ssh-agent and the agents built into
most modern desktop environments can cache the keys and it makes it
fairly painless to use.
More information about the PLUG