Hi, On Tue, Feb 14, 2023 at 04:41:54PM +0100, Stefanie Leisestreichler wrote: > Today I am asking for your advice. > I need to grant access to one machine to an user who is able to use a > terminal. The whole net is a small one without the need for openvpn to > manage it since now. I am thinking about giving this single use the > possibility to connect to the machine (running in DMZ) via ssh access, > dnatted over the public internet. The sshd will be kept updated (arch > linux as os). Auth will be made using public/private cert.
If you open ssh to the public Internet, make sure that password
authentication is disallowed (/etc/ssh/sshd_config,
"PasswordAuthentication no").
So, not only make the user use pubkey auth, but make sure that
the server will never ever let anyone in who does not have that key
and brute-forced someone's weak password. There is a continuous flurry
of ssh connects trying passwords out there...
Even better, if you can restrict the client access to the IP address
(range) from where it's connecting.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
