[Gllug] Selective SSH logins
Garry Heaton
garry at heaton6.freeserve.co.uk
Tue Aug 26 12:22:30 UTC 2008
John Winters wrote:
> Garry Heaton wrote:
>> Anyone know how to restrict SSH password logins to one account while
>> retaining key authentication for everything else? The only server-wide
>> options I can see are:
>>
>> PubKeyAuthentication yes/no
>> PasswordAuthentication yes/no
>>
>> I want to have everybody using key authentication but retain one password
>> login in case something goes wrong with the keys.
>
> The problem with that is you've immediately compromised your security by
> allowing access to anyone who can brute-force the password.
>
> What are you worrying might happen to the keys? They don't rot you
> know. Your only possible problem is if you mangle authorized_keys on
> the server or accidentally delete your local copy of the private key on
> your client machine. To guard against the latter, keep backups, and the
> way I've handled the former problem in the past is to have one account
> on the server which is used *only* for emergency ssh access. It still
> needs public key authentication, but because the account is used for
> absolutely nothing else there is no danger of accidentally deleting its
> authorized_keys file. (Unless you type "rm -rf /" as root, but if you
> do that then you've got bigger problems.)
>
>
> HTH
> John
I was going to restrict access to the password login by IP address at the
firewall locally and on the router.
Garry
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list