Re: Loging in to mike

[droege@snapmail.us]

Geoff,

Thank you.

Such a scheme sounds good to me.  It is just the type of suggestion that I
was soliciting.  Anyone have any comment?

I would hope that the world was such that I could run wide open.  There is
nothing on any of my computers that are connected to the net that I would
not make public to the world.  But there are some out there that would
just like to do damage, and I am subject to that.  Mostly the worst that
could happen is that I would have to load a bunch of disks.  But that will
soon take many days.

Tom Droege

> On Sat, 16 Oct 2004 03:55 am, droege@snapmail.us wrote:
>> OK, you all should know that I don't know what I am doing.
>>
>> I just created the login worker with password ysduaup
>
> Hi Tom,  I'm a little concerned for your system with this level of
> security.
> Have you considered using disabled for password accounts that can only be
> accessed by validated users ssh keys?
>
> ie.  You still have the one account called 'worker' - you cannot logon to
> it
> using a password so someone can try and guess the password till they turn
> blue in the face (eg.  passwd -l worker;passwd -x 99999).   People who you
> want to allow to access the 'worker' account send you their ssh public key
> and you install it into the 'worker' ~/.ssh/authorized_keys2 file
>
> With that sort of approach you can control who you want to have access to
>  your system, you don't have to worry about changing/distributing
> passwords
>  and having that password float into the hands of someone undesirable.
>
> It does depend on everyone being familiar and comfortable using ssh keys
> rather than passwords.
>
> I can provide more details if required.
>
> -goc-
>
>
>