One Time Passwords

When securing a system, the login location of the user and/or administrator needs to be considered. If logins have to be made from foreign computers (e.g., at an Internet cafe), special countermeasures should be taken. As with everything not under your control, such computers need to be generally treated as untrusted. There is no easy way to assess the presence of any viruses, worms, or key loggers that can capture the entered login credentials.

A solution for such a situation is to deploy a one-time password facility for authentication. Linux can be extended with such systems, one of the popular ones being S/Key. But, in general, careful consideration needs to be taken before allowing logins from untrusted computers. Only allow them if justified by your business needs.

Option

Description

PermitRootLogin

Set to no to prevent logins as root. This makes it necessary to always log in as an ordinary user account and using su or sudo to gain root access.

PermitEmptyPasswords

Don't allow logins for a user account with no password set.

PasswordAuthentication

Don't allow logins with passwords at all. A common practice is to only allow remote logins through public keys. This lowers the risk of being the victim of a brute-force attack. See the man page doe ssh-keygen for more information.

AllowGroups

Only allow remote logins for members of a particular group.

AllowUsers

Only allow remote logins for particular users.

Table A-1 Example Options in sshd config for OpenSSH

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook


Post a comment