Ridding myself of root passwords?

Michael Torrie torriem at gmail.com
Mon Feb 3 13:16:42 MST 2014


On 02/03/2014 12:26 PM, S. Dale Morrey wrote:
> Interesting, I'm going to have to try that.  I move SSH to a random port
> off in the boonies, that alone eliminated bruteforce attempts on my end.
> Still passwords are so 1970s.  Certs are where all the cool kids are
> stashing their goodies now days :)

Recent versions of openssh allow to configure options on a per-host or
per-subnet basis.  For example, here's an extract from my sshd_config:

PasswordAuthentication no

Match Address 192.168.*,127.*
        PasswordAuthentication yes
        X11Forwarding yes
        AllowTcpForwarding yes

That bans password logins except from private IP addresses (VPN in my case).


More information about the PLUG mailing list