3
1
As many users know, I run lots of Debian servers, for personal, work, and volunteer organizations. I'm seeing lots of posts recently on both Superuser and IT Security about disabling passwords, and just using key-based authentication.
I use key-based authentication for all my root
access from my personal server, my work laptop, and the computer I use most of the time away from work. However, to get on any of the servers not using WinSCP (where I have my keys saved, at least for my Windows PC), I log in as my standard user account, then su
to root, using the very long password.
On the servers I do not manage for work purposes, I keep these keys in just those three places, mainly for doing backups. I use very strong passwords (in my opinion), and only PermitRootLogin withoutpassword
(I love when config files let me use them in sentences!). When I log in from another place, I use my regular account with a strong password, because I don't have a place I can keep my keys and pull up if I need to log in normally from a new device.
I see this as having two possible solutions:
- Storing the keys in plain text or encrypted somewhere remote, disabling all Password-based authentication methods to my servers. If so, where and how can I store them securely that they won't likely get compromised?
- Using a strong regular-user password, and changing every 90 days. This is a good practice, I'm sure, but my memory really sucks. I'm sure I'd keep using the same password anyways, just out of sheer habit, which breaks the whole point of doing this.
I'd really like to use method 1, but I don't know what would be the best practice with so many servers, and many of them using different passwords just to START logging in from a new location. For example, I regularly use my cell phone to tunnel home, or to check the status of a service at a remote site.
Buy a smart card and put them there – Neil McGuigan – 2016-02-03T19:13:15.217
And how can I use that smart card with a mobile phone? – Canadian Luke – 2016-02-03T19:35:23.680
Yubikey Neo supports NFC https://www.yubico.com/products/yubikey-hardware/yubikey-neo/
– Neil McGuigan – 2016-02-03T19:40:01.397