Re: ssh and root logins

[Russell Coker <russell@coker.com.au>]

On Tue, 10 Aug 2004 23:02, Mark Bucciarelli <mark@easymailings.com> wrote:
> On Tuesday 10 August 2004 10:52, Dale E Martin wrote:
> > Anyways, I would like to disable password logins for root on several of
> > my boxes but allow root to come in from known IPs and with known ssh
> > keys.  Is there a way to disable password logins for root in sshd_config
> > or root/.ssh/config, while leaving password logins intact for regular
> > users?
>
> Would it work to disable all ssh password logins and only allow logins with
> the proper private key?
>
> I find this most secure--no more worries about password cracks (I just have
> to worry about the physical security of the USB key on my keychain).

Also the security of the machine that you use to ssh to other machines.  If 
the machine can be compromised then the ssh private key can be stolen from 
the USB device by a trojaned ssh client.

Systems like Opie deal with this by having a calculation to generate the new 
one-time password which can be performed on another machine.  Run that 
calculation on a PDA and things are a lot more difficult for an attacker.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page