I just wanted to confirm that adding a pass-phrase to the ssh key is a good idea :)
Your suggestion with Match Address is cool and a great suggestions if firewall is not an option, but if you ask me disabling password authentications with PasswordAuthentication=no and using SSH keys for root to manage servers is as safe as using a sudo user instead, since it's not like someone would brute-force the root SSH key. But that is just my opinion, because I usually use RHEL. If you are on Debian/Ubuntu, you would probably use a sudo user. On Monday, April 21, 2014 6:19:25 PM UTC+2, Francisco Reyes wrote: > > On Monday, April 21, 2014 12:10:05 PM UTC-4, Strahinja Kustudić wrote: > >>Add a key > > > ssh key? That is part of what I already > > >> that would make it also safer for you, since you would need to type a > password before doing any changes on production servers. > > My plan is to have a key for the ssh key and then use ssh-agent. > > > >>What I would recommend though is that you just close down SSH in your > firewall to all except addresses which are going to be used as managing > servers > > Very often not possible. > Depending on the size of an organization you may have: > Mobile users > Users working from home > Users from multiple offices > > If my suggested approach worked, that would be a possible alternative for > the original poster. In that case he would not even need to have a sudo > user. Hence, whey I am asking if that suggested approach is considered safe > from a "best practices" standpoint. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/9b16de49-5af9-427f-ac94-d3fbbf5b1d83%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
