Re: Enabling SSHD
- In reply to: Jonathan Adams : "Re: Enabling SSHD"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 29 Jan 2024 14:34:00 UTC
Greetings. On 29 Jan 2024, at 13:14, Jonathan Adams wrote: > Please disable root logins via SSH. Even on your LAN, it's bad practice. I think this is going a step too far. I'd agree with you that password-based root access is likely to be problematic (pace Paul Foster's comments elsewhere in the thread), but key-based ssh authentication, plus either group or cert-based AuthZ, seems adequately secure. ssh certs are quite nice -- [1] is a nice write-up. Short-validity ssh certs let you control who has access, and allow clear logging of who has connected. Password-based root logins don't make clear who has logged in, and to me that's an important argument against permitting that. I don't see a difference, in security terms, between permitting sudo to a root shell, and permitting cert-based ssh access. (I'm talking only about internal connections, of course -- outward facing sshd servers are a different issue). Best wishes, Norman [1] https://engineering.fb.com/2016/09/12/security/scalable-and-secure-access-with-ssh/ -- Norman Gray : https://nxg.me.uk