On 2023-06-30 at 15:49 +0200, Sebastian Luhnburg wrote: > First, in my LPIC-1 course the lecturer tell me it is better (not > binding) to deny SSH login for root users (especially for the user with > the name root). The reason is simple: decrease the attack surface. Yes, > a secure password needs a lot of time to be cracked via brute force, but > if the attacker did not know the username, which is needed to login, the > attacker must get two things. For my opinion, the decrease the attack > surface is a good approach.
It's not a bad approach. But with "PermitRootLogin prohibit-password" then it's not even possible to attempt guessing the root password (with a random password like you use, it won't be guessed, but it will produce cleaner logs). SSH keys are really the way to use for ssh connections > If I use SSH keys, it is a decentral approach. Every user must manage > his keys, which allows to connect to the servers. Every user creates his own key. If Bob loses his laptop ssh key, only that key needs to be replaced, no change for Alice, and no need to change the the passwords for all the servers in the company. What you should have is a process to change the keys (new employee, reinstalled computer, lost laptop, employee leaves the company...). This could be an automated system that propagates the changes to all servers (usual systems are ansible, chef, puppet...), or the servers could be fetching the keys on the fly from a centralized place (generally LDAP) through an AuthorizedKeysCommand script.
