Tim Hammerquist <[EMAIL PROTECTED]> writes: > [*] I would consider leaving PermitRootLogin enabled a firing > offense in itself.
PermitRootLogin is needed for rdisting. Without that you end up having to maintain N systems. /etc/ssh/sshd_config: Protocol 2 PermitRootLogin without-password PasswordAuthentication no ChallengeResponseAuthentication no X11Forwarding yes ClientAliveInterval 60 ClientAliveCountMax 30 If you only allow 2k RSA/DSA passwords you aren't exposing yourself to appreciable added risk. The only loose end is that sshd doesn't currently log the RSA/DSA key that is used to gain access. Ideally it would record the comment field from ~/ssh/authorized_keys into /var/log/authlog. That way, as long as everyone had their own key, you could always tell who logged in as root, same as the case of trampoline logins via a normal use account. -wolfgang -- Wolfgang S. Rupprecht http://www.wsrcc.com/wolfgang/ Microsoft Vista - because "Virus Installer" was too long.