On Thu, Dec 5, 2019 at 9:02 AM John M. Harris Jr <johnmh(a)splentity.com> wrote:
Please don't recommend to anyone to use passwords for SSH. That
is incredibly
insecure, and if privileged users are using password-based SSH, that'll
quickly lead to a serious compromise of your entire system, depending on the
complexity of the password, of course, but still holds nothing to key-based
authentication with the best password.
I was merely pointing out the options. Believe me, for SSH, I've seen
them some very astute and some quite foolish authentication practices
since I published the first public ports of ssh-1 and ssh-2 to SunOS
back in the 90's.
> In common usage, very few people encrypt their home directories
> separately from their basic disk image. It makes system management for
> administrators or even a local root user very awkward. I could see it
> for home directories in "/home", and it would only cost SSH key based
> access, not ordinary password or Kerberos ticket based login. But it
> sounds quite risky and destabilizing, much as the "kill dangling
> processes when people log out". That caused a lot of shock when it
> was activated by default and started killing processes with no
> logging. Let's not repeat a surprise like that and avoid killing SSH
> key access by default.
A bit off topic, but where is "kill danging processes when people log out"
set? I've not experienced that anywhere.
Sorry, should have spelt that "dangling". systemd does so by default
based on a compile-time option, and for a time Fedora had it enabled
by default. After quite a furor, elected to disable this normally
unwelcome feture by default, See /etc/systemd/logind.conf.for the
"#KillUserProcesses=no" line.