View Single Post
  #3   (View Single Post)  
Old 14th September 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
Join Date: May 2008
Location: USA
Posts: 6,423

You might consider using groups for access control so that you need not use root for file transfers.

Another possibility to consider, if root is needed, is to re-enable root login but disable passwords, and use public key authentication instead. In sshd_config(5) use (only the highlighted line is not a default):
PermitRootLogin yes
PasswordAuthentication no
PubkeyAuthentication yes
If you've never used public key authentication before, here's a simple level-set:
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/tester/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/tester/.ssh/id_rsa.
Your public key has been saved in /home/tester/.ssh/
The key fingerprint is:
The key-pair are tied together; a private half and a public half. The private half is kept private. The public half of a key pair may be sent via e-mail, or published on a website. You send the public half ( to the system you want to be able to log on to; it gets appended to $HOME/.ssh/authorized_keys.

To connect between servers, no passphrase is used. When humans use keys for authentication, it is recommended to use passphrases. The best practice for authentication is to have require two components -- something the user has (the private key, a token, a fingerprint) and something the user knows (a passphrase or password).
Reply With Quote