Re: [tlug] openssh on Centos 5.2

[Curt Sampson <cjs@example.com>]

On 2009-08-19 12:48 +0900 (Wed), Edward Middleton wrote:

> Kyle Hasegawa wrote:
> > If you really want to harden remote root access you should disable SSH 
> > root login and limit authentication to a password protected key only.
> >
> >       PermitRootLogin no
> >       PubkeyAuthentication yes
> >       AuthorizedKeysFile      .ssh/authorized_keys
> >       PasswordAuthentication no

Note that this will not force users to use a "password protected key";
there's no way to do that, since you have no idea, as the server, whence
the key came. However, yes, disallowing password logins is a very, very
good idea.

> You also want to make sure UsePAM is set to no.

Oh, no, is this present in some versions of Linux, too? I know that on
NetBSD systems, UsePAM defaulted to yes, and the 'PasswordAuthentication
no' was ignored in this state, but last time I checked on Ubuntu,
password logins were still denied with 'UsePAM yes'. In fact, I just
checked again on a 9.10 system, and that seems still to be the case.

cjs
-- 
Curt Sampson       <cjs@example.com>        +81 90 7737 2974
           Functional programming in all senses of the word:
                   http://www.starling-software.com