[CentOS] Disabling Password authenitication with SSH

[Peter Serwe]

> PermitRootLogin without-password
> AuthorizedKeysFile    /just_a_dir/authorized_keys/%u
> PasswordAuthentication no
> UsePAM yes
>
> This will give you control of access if at least the 
> /just_a_dir/authorized_keys folder is not writeable for the world (the 
> keys need to  readable, not writeable for the user that tries to log on)
Setting "PermitRootLogin without-password" doesn't help your 
authorized_keys issue, doesn't
do anything to make ssh keys work better, and just opens you up to a 
whole world of issues in
the event of some sort of a security problem.

I personally set "PermitRootLogin no" on anything I allow direct access 
from the outside world to.

Setting the AuthorizedKeysFile to anything other than 
~/.ssh/authorized_keys seems ludicrous
to me as well.  It's not like a user can do anything with that file 
other than add to it, or steal public
keys from machines that are allowed to login to it without a password, 
thereby allowing either
a different machine to log into that machine without a password, or 
propagating the machines
your trusted hosts can log into without a password.

Personally, too much trust is a bad thing.  If you need to automate 
stuff, do it on locked-down
user accounts and give them permissions to put the stuff where they need 
to go, or cron something
to check for the data and move it.

Peter

-- 
Peter Serwe <peter at infostreet dot com>

http://www.infostreet.com

"The only true sports are bullfighting, mountain climbing and auto racing." -Earnest Hemingway

"Because everything else requires only one ball." -Unknown

"Do you wanna go fast or suck?" -Mike Kojima

"There are two things no man will admit he cannot do well: drive and make love." -Sir Stirling Moss