dhis2-users team mailing list archive
-
dhis2-users team
-
Mailing list archive
-
Message #00949
Re: Secure remote access
I mean keys when I say certificate. I believe they're used interchangeably,
but that might be incorrect. Thanks for your clarification.
However, I think it's an important point that the key should be protected
by a passphrase. If someone breaks into the PC where the private key is
stored and they can use that without a passphrase to log into DHIS, it
creates a network of possible failures that is hackable. I doubt everyone
has the same security policy on their local machine as they should have on
the state DHIS server, so a key without a passphrase would be dangerous
(please let me know if you disagree). I guess alternatively it's possible
to still have a password on a server and require both a password and a ssh
key? This might be even safer.
Lars
2012/3/9 Bob Jolliffe <bobjolliffe@xxxxxxxxx>
> On 9 March 2012 11:52, Jason Pickering <jason.p.pickering@xxxxxxxxx>
> wrote:
> >>
> >> I'd use HTTPS/SSL for web access and definitely use SSH (preferably
> using
> >> both certificates and passwords) for server access (for people
> administering
> >> the linux installations).
> >>
> >
> > SSH is a must. I would also move it to a non-standard port, and
> > disable remote access with passwords, and disable the root user from
> > being able to login over SSH. You will still get a lot of bot attacks,
> > but using certificates (with a password) will greatly increase the
> > security of the server.
>
> what certificates? I just use my public and private key combination
> ie. copy my public key into ~/ssh/authorized_keys on the server.
>
> Disabling remote access with passwords is really important, but
> sometimes it takes a bit of time getting people used to using keys.
> Worth the effort though. Don't lose the keys.
>
> >
> > _______________________________________________
> > Mailing list: https://launchpad.net/~dhis2-users
> > Post to : dhis2-users@xxxxxxxxxxxxxxxxxxx
> > Unsubscribe : https://launchpad.net/~dhis2-users
> > More help : https://help.launchpad.net/ListHelp
>
--
Lars Kristian Roland
Research Fellow, Department of Informatics, University of Oslo
Email: lars@xxxxxxxxx - roland@xxxxxxxxxx
Phone: +47 90733036
References