One thing you could add to the mix on these boxes is to have the users authorized_keys file be protected so only the admin can put something in it. We've seen attacks in the past where the hacker will add his own keys to that file so he no longer needs to be using the keys of the original user.
Depending on how mobile your force is, you can also put limits on where various keys are valid. It's fine if you have a static IP address somewhere, but fails when the user goes to a conference or comcast decides to change their home IP as they do on occassion. Kenton Brede made the following keystrokes: >Years ago when I started administering linux boxes, some of our boxes had >sshd open to the world. So I devised kind of "poor person's" two-factor >password authentication. It worked like this: > >admin1: could login to the system and su only to admin1ad. >admin1ad: could not login, could su to root. > >Currently for all of our boxes, port 22 is behind a VPN. Some of us are >using ssh keys for the initial login but password authentication is still >enabled. > >I'm thinking about disabling password auth, using keys only and >passwordless sudo access. Everyone would just have one user account. It >sounds like at some point we'll be moving to two-factor for our VPN. > >Is this pretty much standard practice these days? Is it reasonably >secure? If not, how are you all handling ssh authentication? > >Thanks, > >-- >Kent Brede > >--089e0122a59c75a33a04f50a8d71 >Content-Type: text/html; charset="ISO-8859-1" >Content-Transfer-Encoding: quoted-printable > ><meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-= >1"><div dir=3D"ltr"><div><div><div><div>Years ago when I started administer= >ing linux boxes, some of our boxes had sshd open to the world. So I d= >evised kind of "poor person's" two-factor password authentication= >. It worked like this:<br> ><br></div>admin1: could login to the system and su only to admin1ad.<br></d= >iv>admin1ad: could not login, could su to root.<br><br></div>Currently for = >all of our boxes, port 22 is behind a VPN. Some of us are using ssh k= >eys for the initial login but password authentication is still enabled.<br> ><br>I'm thinking about disabling password auth, using keys only and passwor= >dless sudo access. Everyone would just have one user account. I= >t sounds like at some point we'll be moving to two-factor for our VPN.<br> ><br></div><div>Is this pretty much standard practice these days? Is i= >t reasonably secure? If not, how are you all handling ssh authenticat= >ion?<br></div><div><br>Thanks,<br><br></div><div>-- <br><div dir=3D"ltr">Ke= >nt Brede<br> ></div></div></div> > >--089e0122a59c75a33a04f50a8d71-- > >--===============7709623329642054596== >Content-Type: text/plain; charset="us-ascii" >Content-Transfer-Encoding: 7bit >Content-Disposition: inline > >_______________________________________________ >Tech mailing list >Tech@lists.lopsa.org >https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech >This list provided by the League of Professional System Administrators > http://lopsa.org/ > >--===============7709623329642054596==-- _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
