On Sun, 2008-03-30 at 22:24 -0400, Ciro Iriarte wrote:
2) disable PasswordAuthentication Specifies whether password authentication is allowed. ==> The default is "yes". <==
If you need remote access to a system, take the time to distribute a lengthy asymetric key (longer than the default), protected by long enough pass-phrase
This is not really userfriendly, so I do not think we will do this.
I use a private key, but I second this..
Perhaps at present.... Maybe in the future, a nice and safe pair of keys can be generated automagically when creating user-accounts....
3) disable root access. PermitRootLogin Specifies whether root can log in using ssh ==> The default is "yes". <== Horrible!!
This would be an idea.
That would be annoying, I have some servers were I don't have regular users or LDAP authentication (not all of them need to in our datacenter) and with this disabled I still would need to pull a serial console from somewhere to change this and have access to the headless server even though the sshd is up and running after installation (remote installation case)
Why annoying? It only implied that for *remote* logins, you have to use a oridinary user-account, and then do a "su -" or a "sudo" Anyway, it was a suggestion for the _default_ config, People like you, who know what you're doing, can change it easily anyway they want.
4) restrict access with "AllowUsers" This keyword can be followed by a list of user name patterns, separated by spaces. If specified, login is allowed only for user names that match one of the patterns. ==> By default, login is allowed for all users. <==
Not userfriendly either.
Agreed. Easy access to remote (not local) systems and security are at opposite sides of the spectrum.
hw --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org