On Wed, Feb 17, 2016 at 9:33 AM, Jeremy T. Bouse
<jeremy.bo...@undergrid.net> wrote:
>     Setting SSH "PermitRoot no" and "PasswordAuthentication no" are good
> starts... I'd also check that "ChallengeResponseAuthentication no" is set as
> well as some PAM modules will utilize it and be able to get around passwords
> being entered as well as "UsePAM no"


>     I do agree locking the root password isn't advisable. As I use
> configuration management/automation to handle my servers I simply set the
> root password to generated password that only I know the algorithm to
> reproduce it when I need to,

Can you give more details on the process (at least generally)?

> but enable sudoers for all other 'root' access.

Can one use that method and restrict use of "sudo su?"

>     I also go further by utilizing Duo Security as a MFA for SSH logins to
> my servers for accounts authorized to log in.

Hm, so you do allow some accounts password access?

Thanks, Jeremy!



Reply via email to