[CLUE-Tech] more hack attempts
jim feldman
jmf at jim-liesl.org
Sun Aug 8 18:18:38 MDT 2004
May I suggest the following? Only allow pub keys, only generate encrypted pub
keys. Thus the login depends on something you have (the key) and something you
know (the pass phrase). The key can reside on disk, floppy or flash drive and
assuming a reasonably good pass phrase is even secure if lost.
They can attack all day long, and as long as there's no exploitable program flaw
in sshd, it's highly unlikely they will ever be successful.
Oh, and disable root login
PermitRootLogin no
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
# rhosts authentication should not be used
#RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no
# Change to no to disable PAM authentication
ChallengeResponseAuthentication no
More information about the clue-tech
mailing list