Hi Wolfgang, Ok, say you have a box that you want to remotely access. Never a need to access the box via the gui/login. And regarding the ssh/remote access, you specify public/private keys, and you have the key process run from the key file. This allows a user to be able to ssh into the box without having to use the ssh passwd, but only from the corresponding box that has the associated public (master/client) passwd/key setup to permit the login access. But in this situation, if a user hacks into the 1st system, then they have access to the 2nd system, assuming they know the 2nd system's username. This would happen as the private/public key access file has been setup! Any way around this, or am I missing something... I'm thinking that you could setup the user(s) on the client machine, to restrict access/perms, but it still doesn't do anything about the fact that once a user hacks into the parent machine, they then would have access into the 2nd machine... feedback welcome.. On Sat, Dec 21, 2013 at 9:06 PM, Wolfgang S. Rupprecht <wolfgang.rupprecht@xxxxxxxxx> wrote: > > bruce <badouglas@gma il.com> writes: >> You then mod SSH as required to disable root login >> OK, what else should you do? > > Root login isn't a bad idea in and of itself. More important is to not > allow anything but public key logins (eg. ECDSA, RSA). For people > logging in with root credentials, give everyone a different public key > and keep a secure copy of /var/log/secure on a secure system for > backtracking breakins. Each login (including root) will show which key > was used to log in. You can easily see who lost control of their key. > > I'm a firm believer in never allowing passwords logins over the net. > Users will hardly ever use random-letter-upper-lower-number passwords. > They always think they are oh so clever with easily guessed strung > together words, with or without a punctuation char. > > -wolfgang > -- > users mailing list > users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe or change subscription options: > https://admin.fedoraproject.org/mailman/listinfo/users > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct > Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines > Have a question? Ask away: http://ask.fedoraproject.org -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
