I allow access to my servers via ssh with keys only. I don't allow access any other way, only ssh, with keys, no passwords... Otherwise no access.
My $0.02 ;) Rick Bragg > Thanx Sam. Suspected as much. Cheers. > > -- > Joe Golden /_\ www.Triangul.us /_\ websites with class > > On 12/13/2012 11:01 AM, Sam Hooker wrote: >> Hi Joe, >> >> I've tunneled a lot of stuff over SSH, and it's a great band-aid, but >> always feels heavy-handed. My initial thought is that you're going to >> deal with maintaining/distributing asymmetric crypto one way or the >> other. Which is to say: You'd probably want your SSH tunnels to >> re-establish themselves w/o user intervention...which likely means >> key-based auth (unless you've got a Kerberos card you haven't played >> yet)...which isn't that much more easily-managed than X.509 certs for >> TLS. Additionally, since SSH tunnels are bad at bringing themselves >> back to life after link failure without additional glue, and rsyslog >> probably has built-in support for addressing that problem, rsyslog's >> own TLS implementation is probably a win. >> >> >> $0.02, >> >> -sth >> >> sam hooker|[email protected]|http://www.noiseplant.com >> >> "To invent, you need a good imagination and a pile of junk." Thomas >> Edison >> >> ----- Original Message ----- >>> From: "joe golden" <[email protected]> To: [email protected] Sent: >>> Thursday, December 13, 2012 10:45:00 AM Subject: secure remote >>> rsyslog >>> >>> Anyone have any links or advice for rsyslogd over ssh? Good idea? >>> Bad idea? >>> >>> I'm trying to set up centralized logging and might as well do it in >>> a secure fashion. Rather not go through the hassle of ssl certs if >>> not necessary. That said, it looks like rsyslogd with TLS >>> (http://www.rsyslog.com/doc/rsyslog_tls.html) may be the way to >>> go. >>> >>> I live in the Debian flavored world. >>> >>> Cheers with beers. >>> >>> -- Joe Golden /_\ www.Triangul.us /_\ websites with class >>> >> > >
