On Mon, 2014-02-24 at 16:40 +1100, Chris Maltby wrote: > Add to that > - use authorized_keys options such as "from=" to limit key > range especially for passwordless command access keys > - watch out for insecure use of ssh-agent
Good points. To be pedantic though, when you write "passwordless" you presumably just mean that publickkey removes the need for anyone to type in a password. The ssh keys for command access are passphraseless, so noone has to type in a passphrase, but the accounts on both ends should definitely have passwords. The second one is uncontrollable, being client-side, but it's another reason to have a good education program in place - even, and some might say especially, for system administrators. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer ([email protected]) http://www.biplane.com.au/kauer http://twitter.com/kauer389 GPG fingerprint: EC67 61E2 C2F6 EB55 884B E129 072B 0AF0 72AA 9882 Old fingerprint: B862 FB15 FE96 4961 BC62 1A40 6239 1208 9865 5F9A _______________________________________________ Link mailing list [email protected] http://mailman.anu.edu.au/mailman/listinfo/link
