On February 3, 2004 05:04 am, Stuart Sears wrote: > On Tuesday 03 Feb 2004 12:23, diego.veiga@xxxxxxxxxxxxxx wrote: > > Better question > > > > I had generated a key with ssh password for user root, the others users > > are accessing the ssh by user and unix password, but how can i do for > > user root only authenticate with the key, not with user and unix password > > too. > > This seems llike an odd thing to want to do. The key doesn't add any extra > security as far as I can see? If you don't mind my asking, why exactly do > you want to do this? are you planning on allowing multiple users to log in > remotely as root? > > Stuart > -- > Stuart Sears RHCE/RHCX Hi, The advantage of the key auth is that you can restrict access to originate from a machine with the key which adds one more source validation (as well as IP). A second advantage is the passphrase can be very long, cryptic and different than the users regualar password. To combined ssh key authentication with a strong passphrase along with IPtables and PAM and TCPwrappers creates a very thick layered authentication scheme. Pam can restrict by time as well as userid, and wrappers can add dns reverse lookup as well as provide a fallback for IPTables. i have a few docs on these things at http://nesbitt.yi.org/howto.shtml All that said, I am not aware of a method to force one set of users to only use a password (no key option) and another set of users to only use a key (no password option). I personally would not allow any remote login by root except maybe on a system with no other accounts (fw or something). If you disallow root login, you could let users log in as their regular id, then use sudo to control what root access is allowed or PAM to control who can su to what other accounts. -- Pete Nesbitt, rhce -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
