[K12OSN] ssh security

Vince Hoang vince at litrium.com
Sat Dec 18 03:03:12 UTC 2004

On Fri, Dec 17, 2004 at 06:45:22AM -0500, Rob Owens wrote:
> PermitRootLogin no Every hacker knows there is a user named
> "root" on your system. Don't allow root to ssh. Instead, ssh as
> your regular user and then su to become root. The hacker will
> then need to guess 2 sets of passwords in order to do get root
> access.
> AllowGroups AllowUsers These options are self-explanatory. If
> the administrator is the only one who needs to use ssh, then
> don't allow anybody else access. That makes for a lower number
> of valid login names for a hacker to guess at.

I have been meaning to ask the list, particularly Eric, if the
K12LTSP setups could be ship with a more restrictive SSH policy
out of the box.

The options I would propose are to limit SSH access to only
people in the staff group and disabling remote root logins.

  PermitRootLogin no
  AllowGroups staff

These are the two policies that I established with the HOSEF
installed K12LTSP servers. Until that happened, a few schools
were running production with generic user accounts and passwords.
Fortunately, the SSH policy was changed before the SSH scanning
bots got aggressive.


More information about the K12OSN mailing list