2014-01-28 Brian <a...@cityscape.co.uk> > On Tue 28 Jan 2014 at 15:31:25 +0100, Raffaele Morelli wrote: > > > 2014-01-28 Joe <j...@jretrading.com> > > > > > And so was Raffaele's reply. If you will be using ssh from outside, set > > > up keys and disable the use of passwords. Use a good password or phrase > > > on the private key, and keep it on a USB stick away from the laptop. > > > Laptops are easy to lose. If you need to use Windows, then make the > > > keys in puTTY, because as far as I know, puTTY still can't use OpenSSH > > > private keys but can make public ones. > > > > > > > Also AllowUsers directive in sshd_config should be set because If a user > is > > not listed in there, login attempts stop suddenly at [preauth] level and > > you can use the form user@domain to futher restrict access. > > The AllowUsers directive is a legitimate way to restrict ssh logins to > certain users. However, I do not see what (ssh keys + AllowUsers) brings > to the party that (password + AllowUsers) doesn't.
If the private key on the client doesn't match the one on the server auth process fails suddenly without passphrase request. So access on the server is granted only with private key && passphrase. More info and better english: https://www.google.it/search?q=advantages+of+private+key+sshd&oq=advantages+of+private+key+sshd&aqs=chrome..69i57.10529j0j1&sourceid=chrome&ie=UTF-8
