On Mon, Oct 3, 2016 at 8:57 AM, Chris Murphy <lists(a)colorremedies.com> wrote:
Hi,
I'm noticing even with cockpit-0.117 in Fedora 24 Server, that it
supports ssh key assignment for users. Since it's possible to login to
cockpit out of the box, and setup ssh keys via the web interface, is
it now practical to set these by default in the F26/F27 time frame?
And if not, what additional work needs to be done?
Disable root logins with ssh
/etc/ssh/sshd_config PermitRootLogin no
Disable root entirely (sudo -i still works)
usermod -p '!' root
Disable password login with ssh (key only)
/etc/ssh/sshd_config PasswordAuthentication no
In my case I use all three as pretty much the first step for a new
Fedora 24 Server installation.
An alternative might be disabling sshd out of the box. It could be
turned on via cockpit, and require no additional configuration to ssh
login. That perhaps is a compromise between better out of the box
security and usability.
The existing Fedora 24 documentation how to setup public key based
authentication looks good to me. If there's a way to link to that, or
even more concise documentation somewhere within Cockpit, does that
alleviate usability concerns by configuring sshd by default to not
accept password authentication?
https://docs.fedoraproject.org/en-US/Fedora/24/html/System_Administrators...
--
Chris Murphy