Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

On Wed, Feb 17, 2016 at 10:08 PM, Tom Browder wrote: > I have several remote Debian 7 servers and would like to secure it in > the following manner: > > 1. root will not be allowed any external access (access is only via a > user becoming root while logged in) > > 2. after

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

On 2/18/2016 5:05 PM, Roman wrote: > Seriously, you have to trust someone to achieve goals. So accessing > server via ssh keys is pretty normal and secure + ldaps auth of course > (centralized account management), so if someone leaves, just disable > his account. sudo supports ldap auth, kind of

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

On Fri, Feb 19, 2016 at 09:30:20AM +1300, Richard Hector wrote: > That then means that you don't get to choose which people have root on > which boxes - anyone who gets the rule gets the lot. And that includes > anyone who leaves, of course. Yes, but a leaked root password for one host does not

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

On Wed, Feb 17, 2016 at 02:24:02PM +, Darac Marjal wrote: > On Wed, Feb 17, 2016 at 08:08:26AM -0600, Tom Browder wrote: > >2. after initial setup, no ssh access will be allowed via a password > > $ echo "PasswordAuthentication No" | sudo tee -a /etc/ssh/sshd_config Convenient for writing in

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

On Wednesday 17 February 2016 14:24:02 Darac Marjal wrote: > >2. after initial setup, no ssh access will be allowed via a password > > $ echo "PasswordAuthentication No" | sudo tee -a /etc/ssh/sshd_config That's a bad idea: You may end up with 2 PasswordAuthentication entries in sshd_config.

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

[Please don't cc me; I'm on the list] On 19/02/16 11:05, Roman wrote: > 2016-02-18 22:30 GMT+02:00 Richard Hector >: > > > > I think a better solution in the end is to generate a random password > for each box, and leave it, on

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

2016-02-18 22:30 GMT+02:00 Richard Hector : > > > I think a better solution in the end is to generate a random password > for each box, and leave it, on paper, in a safe or similar. It's very > rare anyone needs to use it. > > > Here is a hint (joke), how to secure root

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

On 18/02/16 11:02, Jeremy T. Bouse wrote: >>> I do agree locking the root password isn't advisable. As I use >>> >> configuration management/automation to handle my servers I simply set the >>> >> root password to generated password that only I know the algorithm to >>> >> reproduce it when I

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

On Wed, Feb 17, 2016 at 4:02 PM, Jeremy T. Bouse wrote: > On 2/17/2016 3:31 PM, Tom Browder wrote: >> On Wed, Feb 17, 2016 at 9:33 AM, Jeremy T. Bouse >> wrote: ... >>> I do agree locking the root password isn't advisable. As I use >>>

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

On 2/17/2016 3:31 PM, Tom Browder wrote: > On Wed, Feb 17, 2016 at 9:33 AM, Jeremy T. Bouse > wrote: >> Setting SSH "PermitRoot no" and "PasswordAuthentication no" are good >> starts... I'd also check that "ChallengeResponseAuthentication no" is set as >> well as

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

On Wed, Feb 17, 2016 at 9:33 AM, Jeremy T. Bouse wrote: > Setting SSH "PermitRoot no" and "PasswordAuthentication no" are good > starts... I'd also check that "ChallengeResponseAuthentication no" is set as > well as some PAM modules will utilize it and be able to

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

Setting SSH "PermitRoot no" and "PasswordAuthentication no" are good starts... I'd also check that "ChallengeResponseAuthentication no" is set as well as some PAM modules will utilize it and be able to get around passwords being entered as well as "UsePAM no" I do agree locking the root

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, Feb 17, 2016 at 04:26:28PM +0100, Peter Ludikovsky wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > More or less. What I wouldn't agree with is locking the root account > completely, because, like Thomas said, you'll be locked out

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 More or less. What I wouldn't agree with is locking the root account completely, because, like Thomas said, you'll be locked out should you ever be dropped to a rescue shell due to an hardware error. Regards, /peter Am 17.02.2016 um 15:56 schrieb

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

On Wed, Feb 17, 2016 at 8:24 AM, Darac Marjal wrote: > On Wed, Feb 17, 2016 at 08:08:26AM -0600, Tom Browder wrote: >> >> I have several remote Debian 7 servers and would like to secure it in >> the following manner: ... I can follow that! Thanks so much, Darac. Best,

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

On Wed, Feb 17, 2016 at 8:23 AM, Peter Ludikovsky wrote: > -BEGIN PGP SIGNED MESSAGE- ... Thanks, Peter. Do you agree with Darac's solution? Best, -Tom

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, Feb 17, 2016 at 02:24:02PM +, Darac Marjal wrote: > On Wed, Feb 17, 2016 at 08:08:26AM -0600, Tom Browder wrote: > >I have several remote Debian 7 servers and would like to secure it in > >the following manner: > > > >1. root will not be

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, The first requirement is simple. Add the line PermitRootLogin no or change it accordingly, and reload the SSH daemon. For the second: do you want to disallow any logins via passwords, or are the to be allowed once to set up the keys? The first

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

On Wed, Feb 17, 2016 at 08:08:26AM -0600, Tom Browder wrote: I have several remote Debian 7 servers and would like to secure it in the following manner: 1. root will not be allowed any external access (access is only via a user becoming root while logged in) Ensure all users who may be