View Single Post
  #3   (View Single Post)  
Old 14th September 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,978
Default

You might consider using groups for access control so that you need not use root for file transfers.

Another possibility to consider, if root is needed, is to re-enable root login but disable passwords, and use public key authentication instead. In sshd_config(5) use (only the highlighted line is not a default):
Code:
PermitRootLogin yes
PasswordAuthentication no
PubkeyAuthentication yes
If you've never used public key authentication before, here's a simple level-set:
Code:
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/tester/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/tester/.ssh/id_rsa.
Your public key has been saved in /home/tester/.ssh/id_rsa.pub.
The key fingerprint is:
3a:ca:80:b4:10:c5:ab:6a:ae:3e:3e:25:28:7f:5f:61 tester@jggimi.homeip.net
The key-pair are tied together; a private half and a public half. The private half is kept private. The public half of a key pair may be sent via e-mail, or published on a website. You send the public half (id_rsa.pub) to the system you want to be able to log on to; it gets appended to $HOME/.ssh/authorized_keys.

To connect between servers, no passphrase is used. When humans use keys for authentication, it is recommended to use passphrases. The best practice for authentication is to have require two components -- something the user has (the private key, a token, a fingerprint) and something the user knows (a passphrase or password).
Reply With Quote