> From: tech-boun...@lists.lopsa.org [mailto:tech-boun...@lists.lopsa.org] > On Behalf Of Kenton Brede > > I'm thinking about disabling password auth, using keys only and passwordless > sudo access. Everyone would just have one user account. It sounds like at > some point we'll be moving to two-factor for our VPN. > Is this pretty much standard practice these days? Is it reasonably secure? > If > not, how are you all handling ssh authentication?
If users protect their ssh keys well, then just ssh keys would be great. Unfortunately this is not always so. So I still think it's wise for sudo to require password. Better yet, implement true 2-factor, where you first login with ssh key and before you can do anything, you are immediately presented with a password prompt, with controls in place to enforce complexity requirements and rate-limit brute force password guessing. _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
