| 100 000 times yes: I do something similar and I described that here on HN in a comment / comments in the past! The way I do is a bit different... I'm using a dedicated machine as my physical "SSH console" and that machine is living on a private LAN which is separated from the rest of the machines at home. It's on an unmanaged switch, using ethernet cables (but no trunk). Then the only way to login is using SSH but, here's a little spin... with a Yubikey. The desktop PC has its own firewall, only accepting SSH traffic in from the IP / MAC address of my "SSH console" (on the private LAN it's sharing with the SSH console... On the other physical LAN, my desktop can access the Internet). Then the sshd daemon is configured to only allow pub/priv key logins, no password logins. So basically when I need root, I boot up my "SSH console" (which boots ultra quickly for there's basically nothing on that machine), log in, hit the up arrow to get back the "ssh root@..." line, hit enter, press the Yubikey. That "ssh console" and its keyboard is on my desk, always withing reaching distance. iptables/nftables (on a private LAN moreover, physically separated from the other private LAN) + sshd: you judge if this is more or less secure than sudo binaries / su. As to the "why", I'd answer "because I can". I did set that up such a long time ago that I don't even remember when I did. I think I started toying with that idea two years ago and I've been using it ever since. Zero problem. Not a single issue. |