Russell L. Harris <[EMAIL PROTECTED]>: > > Is there a major or unreasonable security risk if the sysop creates > on the server an account with the same username, password, and > passphrase as his account on the desktop machine?
Same username is a convenience, account passwords need not be the same, and if you gpg-genkey then distribute that key to each host's ~/.ssh, you'll ssh-add once for each sshd you subsequently make requests of. > That is, if the server is compromised, should the sysop change his > password, passphrase, etc.? If the server's compromised, you should reinstall. Same thing you do with penicillin these days; finish it and wipe out even the last vestiges of the bug that infected you. Using ssh means conversations between boxes are encrypted, so no one's going to sniff passwords from your traffic. Disable sshd password logins, insisting it use crypto keys for authentication instead. As long as you've no keylogger running on the box where you ssh-add (or gpg-genkey), I can't see how anyone's going to come close to breaking in, assuming the rest of the system's been sufficiently policed. You're not running daemons you don't need, and you watch the ones you do, yes? > If so, what is the recommended alternative? Is there a HOWTO on > this subject? tldp.org Kerberos, SELinux, tripwire, portknocker, ... Or, unplug it, put it in a locked vault, and enjoy the peace and quiet. If you have good backups, why worry about it? Reinstall's minutes away. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://blinkynet.net/comp/uip5.html Linux Counter #80292 - - http://www.faqs.org/rfcs/rfc1855.html Please, don't Cc: me. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
