root access security (password vs cert)

Ichiban

Member
It looks like the common wisdom is that it's best to generate an ssh key for root (and anyone else requiring access) and soley use that cert to access the system, disabling password authentication to the server to prevent brute force attacks.

Currently, my root password is a long, random, complex string stored in a KeePass vault. KeePass also has an extension (KeeAgent) to handle ssh keys. Unfortunately, while there is an excellent KeePass client (KeePass2Android) on Android, KeePass extensions don't work with that app. That'd leave me doing some sort of juggling to get in as root from my phone or tablet and it seems likely the private key might need to be locally exported in some way during that juggling.

So I'm wondering if ssh certs will provide a tangible benefit in terms of security vs just using a long, complex password stored in a KeePass vault. Especially given the fact that cPHulk puts such severe limitations on attempts to brute force the password remotely.
 

Ichiban

Member
Bump :)

Just hoping to get some experienced input as to whether or not a password vault like KeePass combined with a long, randomized root password and cpHulk is a decent alternative to the usual ssh key-only login policy.
 

KH-Jonathan

Director of Managed Services
Staff member
Woah, don't know how I missed this one!

The answer from my experience is pretty simple. While a key is generally preferred by "security nuts", I've never seen a server with a very long and secure password be compromised via that password.

In addition to the password, you could like SSH down to only certain IPs, etc.
 

Dan

Moderator
Jonathan,

Wouldn't KH support's IP numbers need to be included in that list?

Unfortunately with Comcast my IP occasionally changes so I've always been leery of doing something like this.
 

Nicki

Member
Adding KH Support's IPs is always a good idea, IMO. If one day you find yourself needing assistance, Support would have to wait to gain access. That puts a delay on getting any resolution. :)
 
Top