[Chester LUG] Digitalocean users.. a question

Steve Lilley steve.lilley at beebl.co.uk
Thu Jul 30 12:41:31 UTC 2015


I personally feel as safe logging in as root with a key (and 2 factor on DO) then I do logging on with a password as a normal user If that user is setup to sudo anyway. Then again I only use it for test and dev.

Steve


From: Chester [mailto:chester-bounces at mailman.lug.org.uk] On Behalf Of Les Pritchard
Sent: 30 July 2015 13:24
To: chester <chester at mailman.lug.org.uk>
Subject: Re: [Chester LUG] Digitalocean users.. a question

Yes, I'd agree with Mike on that. If you're creating the VPS manually you could use a temporary password for root, then create a standard user and disable the root.

If you can, I'd also recommend locking down SSH to specific IPs or at least ranges.

On 30 July 2015 at 13:17, Michael Crilly <michael at mcrilly.me<mailto:michael at mcrilly.me>> wrote:

The initial root login is designed to give you an easy way in so you can configure the system, locking down root login and removing that key from the system (after adding additional users and allowing them to sudo to root.)

Think of that initial SSH key as a deployment key - login once with it, then use Ansible to setup your system with new users and various other state.

Cheers,

Mike.
On 30 Jul 2015 9:50 pm, "Stuart Burns" <stuart.james.burns at gmail.com<mailto:stuart.james.burns at gmail.com>> wrote:
Hi Everyone,

I am just in the process of moving over some sites to DO and I thought I would start using the stored SSH key system you can use when deploying your droplets. It works fine, no issues. Just I dont really feel comfortable logging in as root directly. Years of non root logins make me feel itchy about this.

What does everyone else think? (I know you can alter and someone trying to crack a proper PKI implementation may have a long wait!) I was more concerned with it being out the box functionality.

Regards

Stuart

_______________________________________________
Chester mailing list
Chester at mailman.lug.org.uk<mailto:Chester at mailman.lug.org.uk>
https://mailman.lug.org.uk/mailman/listinfo/chester

_______________________________________________
Chester mailing list
Chester at mailman.lug.org.uk<mailto:Chester at mailman.lug.org.uk>
https://mailman.lug.org.uk/mailman/listinfo/chester

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/chester/attachments/20150730/005ba20e/attachment.html>


More information about the Chester mailing list