SSH Security
Jeroen van Meeuwen
kanarip at pczone-clan.nl
Wed Dec 7 15:21:22 UTC 2005
> On Wed, 2005-12-07 at 09:35, STYMA, ROBERT E (ROBERT) wrote:
> > > Key based authentication is the right way to go. You should disable
> > > root ssh access completely.
> > >
> >
> > Key based authentication is good, but there is one caveat. Straight
> > key based allows you to log in directly without typing a password.
> > If you are ssh'ing from work to home from a UNIX machine, any sys-admin
> > with the root password on your work machine can become you and then
> > ssh to your home machine as you with no password. Maybe you don't care
> > if your sysadmin is dinking around in your home machine and maybe you
do.
> >
> > I am not saying not to use key based authentication, but it is not a
> > cure all.
>
> You are correct, there are no magic bullet solutions. Typically you
> would still use a password/passphrase to use your private key. Of
> course the same rules apply as to any password, use a good non-trivial
> one that can not be guessed.
You should use a passphrase to use with your private key, unless you're
using SSH between servers on the same subnet (preferably without third-party
network components) and the boxes use the same passwords.
Kind regards,
Jeroen van Meeuwen
--
kanarip
More information about the fedora-list
mailing list