On Thu, Mar 20, 2014 at 09:26:18AM -0500, Kenton Brede wrote: > Years ago when I started administering linux boxes, some of our boxes had > sshd open to the world. So I devised kind of "poor person's" two-factor > password authentication. It worked like this: > > admin1: could login to the system and su only to admin1ad. > admin1ad: could not login, could su to root. > > Currently for all of our boxes, port 22 is behind a VPN. Some of us are > using ssh keys for the initial login but password authentication is still > enabled. > > I'm thinking about disabling password auth, using keys only and > passwordless sudo access. Everyone would just have one user account. It > sounds like at some point we'll be moving to two-factor for our VPN. > > Is this pretty much standard practice these days? Is it reasonably > secure? If not, how are you all handling ssh authentication?
We keep the overall network behind a firewall. There are two boxes that you can ssh into from the outside world. Each of these login boxes has password authentication disabled, and an AllowUsers line that strictly limits who can access it. root is not allowed. End users do not know their own passwords on this box (although sysadmins do). End users can set up tunnels, and the login box provides a proxy on 127.0.0.127 that can be used to access internal resources through an SSH tunnel. When we have to let an employee go, we disable their keys on the login boxes and change their mail passwords, and they no longer have access to anything from the outside. Then we run our cleanup procedures without worrying about a race against the clock. -dsr- _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
