[CentOS] SSH Automatic Log-on Failure - Centos 5.5

Thu Jan 27 07:59:30 UTC 2011
John Hodrien <J.H.Hodrien at leeds.ac.uk>

On Thu, 27 Jan 2011, Nico Kadel-Garcia wrote:

> Wrong again. Never use public key access for root accounts, it simply
> compounds the security risks. Passphrase protected SSH keys can be
> used, reasonably, for account access on other hosts, but should be
> avoided for root access. If you *HAVE* to use an SSH key for root, for
> example for "rsync" based backup operations, use rssh to restrict its
> operations or designate a permitted command associated with that key
> in the target's authorized_keys.

Is this actually current doctrine for typical machines?  I thought plenty of
people advocated restricting ssh to AllowRoot without-password.  What exactly
is your security concern with having password protected key access to a
machine's root account?

I'll agree Using command= for things like rsync backups is definitely a good
idea, as it means you can put ssh keys on machines that only grant them single
command access.

jh