At $WORK, for the servers I run, SSH is behind the VPN, and limited by external firewalls to a small subset of the network. (People that work with servers can SSH in, but random other people on campus can't.)
For logging in, we've tied that to our Active Directory credentials, because we're a pretty big Microsoft shop. Further, each server has a domain group explicitly stating which users can log in, and which users can use sudo. It feels weird using domain\user form to log into a Linux box, but you get used to it after a while. Between logins being limited to a small range of IP addresses, and a small range of users, we think it's reasonably secure. In a past life, where we didn't have things like single sign-on, I used Duo Security (duosecurity.com). It implements two-factor for SSH, by way of sending a text message or installing a custom app on your cell phone. It does require that your server have Internet connectivity (so it can contact Duo, who sends the text or push notification on your behalf), and it does require trusting their code, but it works well and is reasonably priced. David Smith From: tech-boun...@lists.lopsa.org [mailto:tech-boun...@lists.lopsa.org] On Behalf Of Kenton Brede Sent: Thursday, March 20, 2014 9:26 AM To: t...@lopsa.org Subject: [lopsa-tech] ssh authorization security model Years ago when I started administering linux boxes, some of our boxes had sshd open to the world. So I devised kind of "poor person's" two-factor password authentication. It worked like this: admin1: could login to the system and su only to admin1ad. admin1ad: could not login, could su to root. Currently for all of our boxes, port 22 is behind a VPN. Some of us are using ssh keys for the initial login but password authentication is still enabled. I'm thinking about disabling password auth, using keys only and passwordless sudo access. Everyone would just have one user account. It sounds like at some point we'll be moving to two-factor for our VPN. Is this pretty much standard practice these days? Is it reasonably secure? If not, how are you all handling ssh authentication? Thanks, -- Kent Brede
_______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
