How do I gracefully exit/shutdown a "remote" machine?

Christopher Browne cbbrowne-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Thu Jul 21 02:48:22 UTC 2005


On 7/20/05, William Park <opengeometry-FFYn/CNdgSA at public.gmane.org> wrote:
> On Wed, Jul 20, 2005 at 05:53:32PM -0400, Henry Spencer wrote:
> > On Wed, 20 Jul 2005, CLIFFORD ILKAY wrote:
> > > > ...direct root login can be very convenient for administering
> > > > machines on a seriously-private network, but...
> > >
> > > I disable remote root access on all my machines. How about
> > > disallowing password auth completely and only allowing key based
> > > auth?
> >
> > Crypto authentication -- of both machines and users -- is definitely
> > the way to go if you're going to allow direct root login, and there is
> > much to be said for it in general.
> >
> > (Knowing the root password on my secondary machines wouldn't help you,
> > because it doesn't get you in.  Either the machine already knows who a
> > remote user is and where he's calling from, by crypto authentication,
> > and thus doesn't need to ask for a password, or it doesn't know, and
> > will reject the connection without ever prompting for a password.)
> 
> Henry and Clifford,
> 
> This issue is my pet peeve, partly because most people simply buys the
> hype because it's in the news.  I do password access only (ie. disable
> key encryption) for all machine access, and do file encryption if it's
> sensitive.  Main reason is that computers get stolen.
> 
> How would you counter this point?  If you have a machine in Waterloo,
> and your Toronto workstation is stolen.  No one in Waterloo knows you,
> and your car is in garage for a week.  What do you do?

You're out of luck if you don't have *some* data locally.

You can't afford to be in the situation of not having access to
Waterloo unless you have a good backup of your Toronto-based systems
in Toronto.

You're not presenting a valid argument against PK-based access; you're
presenting a valid argument *for* setting up a competent backup
regimen.

After all, I would surely hope you could put a reasonable amount of
authentication information (e.g. - copy of ~/.ssh) on (oh, say) a USB
key that you put in a safe spot.  If it's on a chain around your neck,
well, if you make it out of the apartment fire that destroyed the
Toronto-based PC, then you probably have a usable set of SSH keys
around your neck.
-- 
http://www3.sympatico.ca/cbbrowne/linux.html
"The true  measure of a  man is how he treats  someone who can  do him
absolutely no good." -- Samuel Johnson, lexicographer (1709-1784)
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml





More information about the Legacy mailing list