LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

October 2008

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS October 2008

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: obscure iptables rules [Re: Security Breach]
From:	Brett Viren <[log in to unmask]>
Reply To:	Brett Viren <[log in to unmask]>
Date:	Thu, 2 Oct 2008 10:14:32 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (27 lines)

Dr Andrew C Aitchison <[log in to unmask]> writes:

> On Wed, 1 Oct 2008, Brett Viren wrote:
>
>> Now we disallow passwords entirely on any publicly visible SSH
>> server (and so should you) so it's less useful.
>
> Does anyone have experience of training over a hundred academics
> to use ssh keys for remote login from random places all over the
> world ?

Unfortunately, yes.  However, with enough effort, they can be trained!

We had no choice but to switch however part of what helped was good
documentation, which I hope to say we have here:

http://www.phy.bnl.gov/computing/index.php/Remote_Access

In the end everyone that previously used SSH passwords here were able
to handle the switch without too much grumbling.  Some of those that
went further to use ssh-agent were even happier than before.  

And it had real results.  We went from about one compromise via SSH
per month to essentially zero.

-Brett.

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV