Eduardo Tongson wrote: > On 10/12/06, Peter Abrahamsen <[EMAIL PROTECTED]> wrote: >> Hi list, >> >> I'm looking for some opinions for a security decision. I need to >> enable remote administrative access to critical systems living about >> 3-4 hours from me and in another country. The systems will be running >> LAMP, more or less. >> >> Which is a better idea, allowing key-only root access, or ssh'ing in >> as myself and running su/sudo/whatever? Either way, I'll set up >> iptables so that connection attempts from anywhere other than my >> office are -j DROP'ed. > > Ssh'ing to root with key-only plus a good passphrase is best. > Avoid ugly workarounds and unnecessary complexity like port > knocking and sudo.
Second on that; and some more details: 1. Generate long key pair on the client "ssh-keygen -t rsa -b 2048" and set a long strong passphrase to protect it 2. Copy the public part to the server via scp or: cat /root/.ssh/id_rsa.pub | ssh server.domain "cat >> /root/.ssh/authorized_keys2" 3. Set your server to "PermitRootLogin without-password" 4. Consider better protection of your private keys like putting them on a removable media (USB memory) 5. Consider using keychain for easy management: http://www.gentoo.org/proj/en/keychain/ Simple security is good security! Kalin. -- |[ ~~~~~~~~~~~~~~~~~~~~~~ ]| +-> http://ThinRope.net/ <-+ |[ ______________________ ]| -- [email protected] mailing list
