This one time, at band camp, James Gray wrote: >So use key-based login for the "updater" user. That way, even if someone >knows the existence of the "updater" user it wont be of any use to them >without the private key from the machine(s) YOU are using. I don't allow any >password-based login for my publicly accessible SSH machines. That way I can >not only restrict what users can log in but also WHERE they login from (ie, >the machine that has the private key) without resorting to high-maintenance >IP address lists, iptables etc. > >Double up the security: restrict allowed users AND use key-based auth. :)
Further to that, you can do some pretty neat (or unmaintainable :-) things with the authorized_keys file, e.g: from="*.example.org",environment="SNUH=bar",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="/usr/sbin/sudo apt-get update" ssh-dss AAAA....= some comment about this key and then you can load a different key using ssh -i (IIRC) to change the behaviour of the machine at the other end when you log in :-) -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
