Skip to content

Instantly share code, notes, and snippets.

@codeopensrc

codeopensrc/gist:9a6bdba5df33a05874d2a390b3534d68

Last active January 24, 2017 22:34
Show Gist options
  • Save codeopensrc/9a6bdba5df33a05874d2a390b3534d68 to your computer and use it in GitHub Desktop.
Save codeopensrc/9a6bdba5df33a05874d2a390b3534d68 to your computer and use it in GitHub Desktop.
Download ZIP
Better SSH security
Raw
gistfile1.MD

http://serverfault.com/questions/334448/why-is-ssh-password-authentication-a-security-risk?rq=1

##Specify what commands/hosts the key can use
command="/usr/local/bin/your_backup_script.sh", ssh-rsa auiosfSAFfAFDFJL1234214DFAfDFa...
would allow only the command /usr/local/bin/your_backup_script.sh with that particular key.

from="yourclient,yourotherclient", ssh-rsa auiosfSAFfAFDFJL1234214DFAfDFa...
specify the allowed hosts for the key

from="yourbackupserver", command="/usr/local/bin/your_backup_script.sh", ssh-rsa auiosfSAFfAFDFJL1234214DFAfDFa...
Or combine the two

##Allow passwords for select IPs

PasswordAuthentication no  
Match Address 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16  
    PasswordAuthentication yes

##Allow passwords only for select group/users

Match Group SSH_Key_Only_Users  
    PasswordAuthentication no  

Match User Bad_User  
    PasswordAuthentication no
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment