Doran L. Barton wrote:
If you can get away with it, disable password authentication in sshd_config
(the 'PasswordAuthentication' directive) and require DSA (or RSA) keys.
If you must allow password authentication, first make sure you do not allow
the root user to log in via SSH. This is controlled via the
'PermitRootLogin' directive in sshd_config.
Don't forget when preventing password authentication to also disable the
Challenge-Response mechanism as well. There are two ways to accomplish
this completely.
PasswordAuthentication no
ChallengeResponseAuthentication no
or just disable access to PAM altogether
UsePAM no
Also PermitRootLogin accepts some other really cool options besides yes
and no.
* without-password
forces key only auth for root
* forced-commands-only
only allow root when a command is forced in the authorized_keys file.
Really useful stuff.
--lonnie
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
