Re: Password scan
- From: Ertugrul Soeylemez <never@xxxxxxxxxxxxxx>
- Date: Sat, 23 Dec 2006 01:39:49 +0100
Jim Garrison <jhg@xxxxxxxxxxxxxxx> (06-12-22 11:19:05):
2) Disable root login. If you need to do remote admin, login as a
normal user and use su or sudo. Remember to give your non-root
user sudo authority BEFORE you disable root login :-)
3) Disable password-based authentication and use key-based auth only.
In key-based auth every user must possess a unique private key file
in addition to the key-file's passphrase, and no password hash is
ever sent over the wire.
Bad idea. If you need to login to a normal user first, and then issue
su/sudo to become root, an attacker can easily guess the length of the
root password, by nothing more than counting packets. When using
key-based authentication, better login to root directly.
The relevant SSHD configuration parameters are:
Protocol 2
PasswordAuthentication no
PermitRootLogin no
PubkeyAuthentication yes
And of course:
ChallengeResponseAuthentication no
Regards,
E.S.
.
- Follow-Ups:
- Re: Password scan
- From: Nico
- Re: Password scan
- From: John Thompson
- Re: Password scan
- References:
- Password scan
- From: christian_sava
- Re: Password scan
- From: Jim Garrison
- Password scan
- Prev by Date: Re: better network setup security wise
- Next by Date: Re: better network setup security wise
- Previous by thread: Re: Password scan
- Next by thread: Re: Password scan
- Index(es):
Relevant Pages
|
|
