[Gllug] Selective SSH logins
Alistair Mann
gllug at lgeezer.net
Tue Aug 26 20:19:47 UTC 2008
John Winters wrote:
> Garry Heaton wrote:
>> I want to have everybody using key authentication but retain one password
>> login in case something goes wrong with the keys.
>
> The problem with that is you've immediately compromised your security by
> allowing access to anyone who can brute-force the password.
Such attacks can be addressed with something like fail2ban
(http://www.fail2ban.org) which can create firewall imposed lock-outs of
such length that a brute force attack would be infeasible given the
search space.
Passwords are more at risk from social and keylogging attacks, imho. But
the alternative for most means keeping the authorized key on a memory
stick around their neck -- not an improvement.
--
Alistair Mann
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list