hello all,
i have general questions about how best to set up ssh access.
1. is ssh safe enough to open to the world? i'm travelling,
and even when i'm not, i'm often somewhere where the IP
number is not one of those that i allow to access ssh
on the servers i work on. so i'd like to open up ssh
access to the world (but with appropriate security, e.g.,
the open ssh runs on a non-standard port and accepts only
logins from a few well known logins and only with pubkey
auth, or maybe with pubkey AND password :).
the primary question is, though, can i open up ssh to the
world with only internal sshd rules to protect it?
2. i'd like to allow ssh root access with pubkey authentication
on some of those boxes. the reason is, i want to set the
root password to something long and unmemorizeable and then
forget the password and swallow the piece of paper it was on :).
after that, the only root access is going to be via ssh
with pubkey auth, or at the console after rebooting the box
due to some emergency.
standard advice is to login as a regular user and then su
to root (for accounting, so we know who is su-ing to root).
but if i su to root, then i'd need to know the password,
and i'd like to forget the password and use pubkey.
of course, ssh to root is not going to be done a lot. but
every once in a while it's going to be necessary, for system
admin.
3. what sshd_config settings do you recommend? right now i like
running two sshds. one is on the normal port and is accessible
only to a few IPs locally. it does, however, allow password
auth.
the other sshd is on a different port and allows only two
logins (root and mine) to login, and it only accepts pubkey
auth. is it possible to require both pubkey and password?
the questions above might be summarized thus, what is the best way
to secure ssh and yet allow pubkey root access from random hosts
on the net.
generally, my cert is only on my own notebook and if i need to
work on another computer, i've got some linux boot disks with
my cert and ssh on them. i NEVER ssh from any windows computer.
if i have to do that, i boot from my linux root boot and use
that.
tiger
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
