On Wed, Feb 17, 2016 at 9:33 AM, Jeremy T. Bouse <jeremy.bo...@undergrid.net> wrote: > Setting SSH "PermitRoot no" and "PasswordAuthentication no" are good > starts... I'd also check that "ChallengeResponseAuthentication no" is set as > well as some PAM modules will utilize it and be able to get around passwords > being entered as well as "UsePAM no"
Okay. > I do agree locking the root password isn't advisable. As I use > configuration management/automation to handle my servers I simply set the > root password to generated password that only I know the algorithm to > reproduce it when I need to, Can you give more details on the process (at least generally)? > but enable sudoers for all other 'root' access. Can one use that method and restrict use of "sudo su?" > I also go further by utilizing Duo Security as a MFA for SSH logins to > my servers for accounts authorized to log in. Hm, so you do allow some accounts password access? Thanks, Jeremy! Best, -Tom