Re: How can I secure a Debian installation?

[Brian <ad44@cityscape.co.uk>]

On Thu 30 Jan 2014 at 18:53:11 +0100, Denis Witt wrote:

> On Tue, 28 Jan 2014 18:42:34 +0000
> Brian <ad44@cityscape.co.uk> wrote:
> 
> > The AllowUsers directive is a legitimate way to restrict ssh logins to
> > certain users. However, I do not see what (ssh keys + AllowUsers)
> > brings to the party that (password + AllowUsers) doesn't.
> 
> A key (if kept secret) is even harder to "guess" than a
> password,

I'd like to see a complex, random, high-entropy 20 character password 
which is guessable (or capable of being cracked) in a timeframe which 
has some significance. I'll give you "even harder" but it is of no great
consequence if you consider the situation where an online subversion of
a user's account is being attempted and a good password is in place. 

>           also it's not "ssh keys + AllowUsers" it's (or should be)
> "ssh key + key pass-phrase + AllowUsers".

The key pass-phrase is never seen by the server; it plays no part in an
ssh login. You may think it does but the server doesn't.

  ssh keys + AllowUsers

and

  password + AllowUsers

are equally as secure.

Allowusers does what it says. It may be a requirement of the site being
accesssed but it plays no part in the security underlying an ssh login,

There are security advantages to logging in with ssh keys; the strength
of a key isn't one of them. However, ssh key proponents never seem to
mention them. They instruct: "Use private key authentication"; no
explanation, no justification, nothing to indicate why it might be more
appropriate for the situation under discussion. It's as though they are
mesmerised by the number of bits which a key can contain.

To return to the original point of this thread: logging in as root with
a key or with a password carries the same risk. I would say it is close
to zero in both cases.