Only allow SSH with keys, more secure?

Status
Not open for further replies.

patrik

Verified User
Joined
Sep 6, 2006
Messages
128
I was thinking of only enable SSH login with keys (and remove password authentication). A simple DA plugin will then be used by the customers for ssh keys administration. The plugin will only accept keys which is password protected.

What do you think, will the server be more secure with this setup?
 
The problem will be if/when an administrator is travelling and has to log in from a different computer.

I for one still prefer passwords. I use strong enough passwords so I don't have to worry about breakins.

Another way to be security (xemaps, please don't bother to argue with me on this one) would be to use a different port besides the standard, so the hacking scripts couldn't get in even if they somehow guessed the password, since they only try the ssh port.

Jeff
 
jlasman said:
The problem will be if/when an administrator is travelling and has to log in from a different computer.
That wouldn't be any problem. I would just login to another machine that does allow password login and then continue from there.
 
jlasman I wont argue with you 99% of login attempts I witness on sshd are done via automated scanning bots trying their luck with port 22 over a entire ip range, so moving the sshd port kills these off instantly quick and effective.

keys are more secure but as mentioned if you removing the ability to login with passwords over ssh and then lose your key you will need console access to get back into the server.
 
Chrysalis said:
keys are more secure but as mentioned if you removing the ability to login with passwords over ssh and then lose your key you will need console access to get back into the server.
That's (in some sense) what the plugin is all about. If you don't have any keys you use the plugin to generate a pair. And of course you can also re-generate a new pair if the original was lost.
And even in the worst case when the plugin/DA doesn't work we have ILO/DRAC on almost all servers which we're able to login with.
 
Bringing up an old thread. Does anyone know if there is a plugin that does this?

Also, would the use of keys interfere with the multi-server setup? I'm guessing not, but it's the type of thing you want to be sure about :)
 
I never wrote this in response previously.

The reason I wouldn't develop a plugin is simply that with an insecure (http) login (which it turns out many people still use with DirectAdmin) there's always a chance that your DirectAdmin login could be compromised by a sniffer, and then that person could log into DirectAdmin and generate a pair of keys.

Not really secure enough for us.

I'm not sure how Multi-Server DNS works, perhaps someone else could answer that for us.

Jeff
 
Status
Not open for further replies.
Back
Top