diff options
author | https://www.google.com/accounts/o8/id?id=AItOawlm8dkrPSmEyV3avjyCkJBhsosWKjJj7jc <Jacob@web> | 2013-10-10 16:58:32 +0000 |
---|---|---|
committer | admin <admin@branchable.com> | 2013-10-10 16:58:32 +0000 |
commit | c5fc7e5181defb80f3d9b6a99c2074dad23bbf34 (patch) | |
tree | 1039a47c28ab465b561b65f648070cec08432f02 /doc | |
parent | 76c6ff324ddcb9e8abc2f8831164a20037123f6d (diff) |
elaborate on local pairing sshd security
Diffstat (limited to 'doc')
-rw-r--r-- | doc/assistant/local_pairing_walkthrough.mdwn | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/doc/assistant/local_pairing_walkthrough.mdwn b/doc/assistant/local_pairing_walkthrough.mdwn index 100406564..f6282ec28 100644 --- a/doc/assistant/local_pairing_walkthrough.mdwn +++ b/doc/assistant/local_pairing_walkthrough.mdwn @@ -38,7 +38,7 @@ git-annex folders. Just like that you can share files. For local pairing to work, you must have sshd (ssh server daemon) installed and working on all machines involved. That means you must allow at least local connections to sshd. On most Linux distributions, sshd is packaged in either openssh (openSUSE) or openssh-server (Debian). -It is highly recommended that you disable root login and login from outside of your local network. +It is highly recommended that you disable root login, disable password login to sshd and just enable key based authentication instead. No one will be able to login without your key. To disable root, after installing sshd, edit the sshd config (usually /etc/ssh/sshd_config file) and disable root login by adding: @@ -46,10 +46,21 @@ To disable root, after installing sshd, edit the sshd config (usually /etc/ssh/s Restart sshd. See man sshd_config for details. -To restrict login to your local network only (not allow internet users from trying to log into your computer) edit the hosts.deny file (usually /etc/hosts.deny) by adding the following: +To disable password login and enable key based authentication, edit the sshd config (just like above) by uncommenting and changing the following options: + + ChallengeResponseAuthentication no + PasswordAuthentication no + UsePAM no + + PubkeyAuthentication yes + +Restart sshd. See man sshd_config for details. + +You can also restrict login to your local network only (not allow internet users from trying to log into your computer). Edit the hosts.deny file (usually /etc/hosts.deny) by adding the following: sshd : ALL EXCEPT LOCAL +Do note that restricting login to your local network may or may not block git-annex. Also note that this will not work on Mac OSX because Apple decided to disable this feature and replace it with a crippled version made by Apple. ## Tips |