On 6/16/2016 8:21 PM, Kent Borg wrote: > On 06/16/2016 06:37 PM, Dan Ritter wrote: >> 1. You can assign passwords, but tell sshd to only allow access via >> keys. This is a Good Idea. > > So for you--someone running your own machine--you use keys to login but > still use a password on sudo? (This is common? Seems part of going to > keys is to get rid of passwords.)
Depends what you're going for. If you're opening up a port to the world to brute force, it's generally smart to not allow password logins via ssh. So the key-only auth is stronger for the bigger attack surface. Requiring a password for sudo then isn't contradictory, it's a different threat model. Passwords are for people already logged into the system, or people who have physical access to the machine and can login to the console (which is a much smaller attack surface). Matt _______________________________________________ Discuss mailing list [email protected] http://lists.blu.org/mailman/listinfo/discuss
