Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

To: "Jeremy T. Bouse" <jeremy.bouse@undergrid.net>
Cc: debian-user@lists.debian.org
Subject: Re: Debian security: need recipe for blocking root ssh access AND all ssh password access
From: Tom Browder <tom.browder@gmail.com>
Date: Wed, 17 Feb 2016 14:31:51 -0600
Message-id: <[🔎] CAFMGiz9ci5GR-o=vzVkPExx-iTTr1b99wsOFzpdDUP5Ub9SCbA@mail.gmail.com>
In-reply-to: <[🔎] 56C492D2.6090302@undergrid.net>
References: <[🔎] CAFMGiz9e10ugawRLti+SGjfZu4XHHXZKkG=n0mcR6XniPRvp5Q@mail.gmail.com> <[🔎] 56C4826B.2080108@ludikovsky.name> <[🔎] CAFMGiz9UnLLgsrQnq7rsE4+wCDp1kD9H2HjEiVuP-Qpn5U4Jqg@mail.gmail.com> <[🔎] 56C49124.6070906@ludikovsky.name> <[🔎] 56C492D2.6090302@undergrid.net>

On Wed, Feb 17, 2016 at 9:33 AM, Jeremy T. Bouse
<jeremy.bouse@undergrid.net> wrote:
>     Setting SSH "PermitRoot no" and "PasswordAuthentication no" are good
> starts... I'd also check that "ChallengeResponseAuthentication no" is set as
> well as some PAM modules will utilize it and be able to get around passwords
> being entered as well as "UsePAM no"

Okay.

>     I do agree locking the root password isn't advisable. As I use
> configuration management/automation to handle my servers I simply set the
> root password to generated password that only I know the algorithm to
> reproduce it when I need to,

Can you give more details on the process (at least generally)?

> but enable sudoers for all other 'root' access.

Can one use that method and restrict use of "sudo su?"

>     I also go further by utilizing Duo Security as a MFA for SSH logins to
> my servers for accounts authorized to log in.

Hm, so you do allow some accounts password access?

Thanks, Jeremy!

Best,

-Tom

Reply to:

Follow-Ups:
- Re: Debian security: need recipe for blocking root ssh access AND all ssh password access
  - From: "Jeremy T. Bouse" <jeremy.bouse@undergrid.net>

References:
- Debian security: need recipe for blocking root ssh access AND all ssh password access
  - From: Tom Browder <tom.browder@gmail.com>
- Re: Debian security: need recipe for blocking root ssh access AND all ssh password access
  - From: Peter Ludikovsky <peter@ludikovsky.name>
- Re: Debian security: need recipe for blocking root ssh access AND all ssh password access
  - From: Tom Browder <tom.browder@gmail.com>
- Re: Debian security: need recipe for blocking root ssh access AND all ssh password access
  - From: Peter Ludikovsky <peter@ludikovsky.name>
- Re: Debian security: need recipe for blocking root ssh access AND all ssh password access
  - From: "Jeremy T. Bouse" <jeremy.bouse@undergrid.net>

Prev by Date: Re: I need help
Next by Date: Re: 5000 Folders in a directory
Previous by thread: Re: Debian security: need recipe for blocking root ssh access AND all ssh password access
Next by thread: Re: Debian security: need recipe for blocking root ssh access AND all ssh password access
Index(es):
- Date
- Thread