openssh concerns

[Garrett Wollman]

<<On Tue, 6 Oct 2009 15:49:16 -0400, jhell <jhell at DataIX.net> said:

> Don't forget about making good use of the following configuration 
> turntables. You can enforce a default policy of deny by just saying that a 
> user must be in the group of AllowGroups. This does enforce a little bit 
> more of a administrative overhead but that's for your staff and policy to 
> decide.

Indeed, for a personal server that only I ever log in to, one of the
first things that I do is add "AllowUsers wollman" to
/usr/local/etc/ssh/sshd_config.  That's just a belt-and-suspenders
thing, though, to make sure that I don't fat-finger the password file
or something.  I generally ignore the ssh "invalid user" complaints --
I have a modified version of /etc/periodic/security/800.loginfail that
filters them out -- because they're totally irrelevant and have no
impact on security.  That allows me to pay attention to the (very
occasional) password failures on real user accounts.

-GAWollman