gpg: Signature made Fri Mar 2 14:38:56 2018 UTC
gpg: using RSA key 17CE11E90C6CDF5B07B173F291E17A53337B09CC
gpg: Can't check signature: No public key
On Fri, 02 Mar 2018 14:09:38 +0100
Richard Glynos <richardmglynos@???> wrote:
> I agree with Keith. I would find it problematic if I couldn't have
> password access to the Xen shell from time to time to resolve
> issues. I also use ipset on my VPS which I find flexible and powerful
> in keeping unwanted callers out. I'm using port 22 on the VPS but
> with key access only.
Something I find useful: libpam-google-authenticator. I seem to remember
you're already using Google Authenticator for other things, Andy, so
it probably wouldn't take much extra work to set up.
I've configured SSH on my VPS (and other Internet facing SSH services)
so that if public key authentication is used, I get straight in, but if
password authentication is used then a Google authenticator challenge is
required too.
That way, the authenticator stays out of the way for most usage, but I can
get in from anywhere using my password, so long as I've got my phone handy.
I don't need to worry about SSH brute force attempts against accounts on
my machines and I just let fail2ban do its thing.
Would that help for access to Xen Shell? It's not a very high extra bar for
people to leap over in emergency cases. Just a thought...
Cheers,
Alun.
