|
|
|
|
|
|
by yeukhon
3815 days ago
|
|
|
> A simpler and more robust method is SSH Keys + Passwords. I should write a blog post on this... Problem 1. Now you have to maintain password Problem 2. Now you have to handle prompt. Some Cfg tools are capable but is quite painful for others, which means you can't automate 2nd auth. Actually you can automate like 2nd auth there are paid service out there offer API. IMO, actually, better approach: * each instance only allow coming from known network * user must be authenticated and authorized with LDAP / added to authorized_keys file and enable SSH logging * automation should retrieve the private key from some safe location and is constantly rotating key across instances. This is quite easy on AWS with IAM if you run infrastructure on AWS. For non-AWS, you just harden the location twice as hard. |
|
|
You can use ssh-agents for this. Some people consider that cheating though |;)