[Discuss] PSA: no root login for SSH

[Daniel Barrett]

On December 24, 2020, Michael Tiernan wrote:
>I've got one [user] that every 30secs launches a script that logs in,
>checks a dir for files then closes. Using his unprotected key.

Do you mean an SSH key with an empty passphrase? Actually, this can be
done fairly securely and is particularly good for scripting. Create a
distinct key pair, with empty passphrase, and on the server side, set
up authorized_keys to use a forced command (man sshd), e.g.,
'command="/bin/ls myfile"'. Even if the private key is stolen, all the
attacker can do is run "/bin/ls myfile" on the remote system, not a
login shell.

I'm not saying that Michael's user is doing it this way. :-) But it's
a reasonable technique.

--
Dan Barrett
dbarrett at blazemonger.com