[CentOS] Disabling Password authenitication with SSH
Theo Band
theo.band at xanadu-wireless.com
Sat Feb 10 01:04:26 UTC 2007
Peter Serwe wrote:
>
>> PermitRootLogin without-password
>> AuthorizedKeysFile /just_a_dir/authorized_keys/%u
>> PasswordAuthentication no
>> UsePAM yes
>>
>> This will give you control of access if at least the
>> /just_a_dir/authorized_keys folder is not writeable for the world
>> (the keys need to readable, not writeable for the user that tries to
>> log on)
> Setting "PermitRootLogin without-password" doesn't help your
> authorized_keys issue, doesn't
> do anything to make ssh keys work better, and just opens you up to a
> whole world of issues in
> the event of some sort of a security problem.
The reason it's still open for root (with key), is that it's being
synced to a remote mirror. Indeed closing the access is always better.
>
> I personally set "PermitRootLogin no" on anything I allow direct
> access from the outside world to.
>
> Setting the AuthorizedKeysFile to anything other than
> ~/.ssh/authorized_keys seems ludicrous
> to me as well. It's not like a user can do anything with that file
> other than add to it, or steal public
> keys from machines that are allowed to login to it without a password,
> thereby allowing either
> a different machine to log into that machine without a password, or
> propagating the machines
> your trusted hosts can log into without a password.
>
> Personally, too much trust is a bad thing. If you need to automate
> stuff, do it on locked-down
> user accounts and give them permissions to put the stuff where they
> need to go, or cron something
> to check for the data and move it.
Well I like to control what is in the public keys. This way I can limit
acces based on IP. Some users only have access to CVS.
Theo
More information about the CentOS
mailing list