[Watford] SSH Questions

Mark Stewart markwstewart at gmail.com
Wed Sep 17 08:15:42 UTC 2008


I use PAM with ssh already and now just considering preventing the use of
keys on internal Linux workstations, I'm going to do some more testing and
see what works best, good to hear the view of others.

Just for info, on my externally facing servers I think the use of keys is
more secure, I disable password authentication and have two ssh daemons -
one for logging into from the outside that disables root log in and another
ssh daemon that only allows local connections and allows you to become root.
(all on non-standard ports)

Steve, can you elaborate on what a GPS is?

2008/9/17 Alain Williams <addw at phcomp.co.uk>

> On Tue, Sep 16, 2008 at 09:54:04PM +0100, Magnus Kelly wrote:
>
> > Then is it not possible to control which account the ssh key opens and
> > then force the user to su post login to a password protected account
> > that does not allow direct login - hence without the key you can't try
> > and login to the correct account that has the rights to perform the
> > legit remote process.
>
> You could look at PAM. Put something appropriate into /etc/pam.d/sshd
> to limit what accounts someone can ssh in to. The user would then
> have to 'su' to get further.
>
> In /etc/ssh/sshd_config you can also control which accounts can be logged
> in to.
>
> PAM is prob more flexible ATM, although there is some work to make sshd
> do some of this itself.
>
> --
> Alain Williams
> Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT
> Lecturer.
> +44 (0) 787 668 0256  http://www.phcomp.co.uk/
> Parliament Hill Computers Ltd. Registration Information:
> http://www.phcomp.co.uk/contact.php
> Chairman of UKUUG: http://www.ukuug.org/
> #include <http://www.ukuug.org/#include> <std_disclaimer.h>
>
> _______________________________________________
> Watford mailing list
> Watford at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/watford
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.lug.org.uk/pipermail/watford/attachments/20080917/2e59a366/attachment-0001.htm 


More information about the Watford mailing list