On Fri, 9 Jan 2015, DJ Delorie wrote:
So if we truly want to address this feature, we should also disallow
non-root user password based ssh logins.
Do I get this right? You want to disallow any remote logins (which
nowadays means using ssh)?
No, he means that ssh connections should require a pre-shared key.
Actually, i meant keypair based authentication with ssh using
authorized_keys (which are NOT preshared keys - it is public key
authentication)
My systems are set up that way, you can't just ssh in from anywhere, you
can only ssh in from machines that have your private key. If you try
to log in without a pre-shared key, it won't prompt you for your unix
password, it will just fail.
If your public key authentication fails, it still prompts you for a
password but even if you have set a password it will reject it. This is
to prevent leaking configuration information (eg to avoid telling
attackers whether or not password based logins are allowed in the
machine)
Paul
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
