PermitRootLogin without-password
AuthorizedKeysFile /just_a_dir/authorized_keys/%u
PasswordAuthentication no
UsePAM yes
This will give you control of access if at least the
/just_a_dir/authorized_keys folder is not writeable for the world (the
keys need to readable, not writeable for the user that tries to log on)
Setting "PermitRootLogin without-password" doesn't help your
authorized_keys issue, doesn't
do anything to make ssh keys work better, and just opens you up to a
whole world of issues in
the event of some sort of a security problem.
I personally set "PermitRootLogin no" on anything I allow direct access
from the outside world to.
Setting the AuthorizedKeysFile to anything other than
~/.ssh/authorized_keys seems ludicrous
to me as well. It's not like a user can do anything with that file
other than add to it, or steal public
keys from machines that are allowed to login to it without a password,
thereby allowing either
a different machine to log into that machine without a password, or
propagating the machines
your trusted hosts can log into without a password.
Personally, too much trust is a bad thing. If you need to automate
stuff, do it on locked-down
user accounts and give them permissions to put the stuff where they need
to go, or cron something
to check for the data and move it.
Peter
--
Peter Serwe <peter at infostreet dot com>
http://www.infostreet.com
"The only true sports are bullfighting, mountain climbing and auto racing." -Earnest Hemingway
"Because everything else requires only one ball." -Unknown
"Do you wanna go fast or suck?" -Mike Kojima
"There are two things no man will admit he cannot do well: drive and make love." -Sir Stirling Moss
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
