Securing SSH access
lists at kittypee.com
Wed Apr 2 16:26:01 MDT 2008
Doran L. Barton wrote:
> If you can get away with it, disable password authentication in sshd_config
> (the 'PasswordAuthentication' directive) and require DSA (or RSA) keys.
> If you must allow password authentication, first make sure you do not allow
> the root user to log in via SSH. This is controlled via the
> 'PermitRootLogin' directive in sshd_config.
Don't forget when preventing password authentication to also disable the
Challenge-Response mechanism as well. There are two ways to accomplish
or just disable access to PAM altogether
Also PermitRootLogin accepts some other really cool options besides yes
forces key only auth for root
only allow root when a command is forced in the authorized_keys file.
Really useful stuff.
More information about the PLUG