[CentOS] SSH Automatic Log-on Failure - Centos 5.5
John Hodrien
J.H.Hodrien at leeds.ac.uk
Thu Jan 27 07:59:30 UTC 2011
On Thu, 27 Jan 2011, Nico Kadel-Garcia wrote:
> Wrong again. Never use public key access for root accounts, it simply
> compounds the security risks. Passphrase protected SSH keys can be
> used, reasonably, for account access on other hosts, but should be
> avoided for root access. If you *HAVE* to use an SSH key for root, for
> example for "rsync" based backup operations, use rssh to restrict its
> operations or designate a permitted command associated with that key
> in the target's authorized_keys.
Is this actually current doctrine for typical machines? I thought plenty of
people advocated restricting ssh to AllowRoot without-password. What exactly
is your security concern with having password protected key access to a
machine's root account?
I'll agree Using command= for things like rsync backups is definitely a good
idea, as it means you can put ssh keys on machines that only grant them single
command access.
jh
More information about the CentOS
mailing list