[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: maybe a bug in bash?
|
From: |
Ángel |
|
Subject: |
Re: maybe a bug in bash? |
|
Date: |
Mon, 03 Jul 2023 02:00:59 +0200 |
On 2023-06-30 at 15:49 +0200, Sebastian Luhnburg wrote:
> First, in my LPIC-1 course the lecturer tell me it is better (not
> binding) to deny SSH login for root users (especially for the user with
> the name root). The reason is simple: decrease the attack surface. Yes,
> a secure password needs a lot of time to be cracked via brute force, but
> if the attacker did not know the username, which is needed to login, the
> attacker must get two things. For my opinion, the decrease the attack
> surface is a good approach.
It's not a bad approach. But with "PermitRootLogin prohibit-password"
then it's not even possible to attempt guessing the root password (with
a random password like you use, it won't be guessed, but it will
produce cleaner logs).
SSH keys are really the way to use for ssh connections
> If I use SSH keys, it is a decentral approach. Every user must manage
> his keys, which allows to connect to the servers.
Every user creates his own key. If Bob loses his laptop ssh key, only
that key needs to be replaced, no change for Alice, and no need to
change the the passwords for all the servers in the company.
What you should have is a process to change the keys (new employee,
reinstalled computer, lost laptop, employee leaves the company...).
This could be an automated system that propagates the changes to all
servers (usual systems are ansible, chef, puppet...), or the servers
could be fetching the keys on the fly from a centralized place
(generally LDAP) through an AuthorizedKeysCommand script.