[server-admins] Server SSH Access

[Troy A. Griffitts]

Dear all,

With the crazy amount of brute force attempts to login to our server via
SSH, and since it's been 20 years since we've actually removed any
accounts on the server, I'd like to do 2 things:

1) Could everyone please upload your public key to

$HOME/.ssh/authorized_keys2

and assure you can login to your account via your key pair.

Permissions and ownership need to be set exactly as:

[scribe at www .ssh]$ pwd
/home/scribe/.ssh
[scribe at www .ssh]$ ls -lat
total 16
drwx--x--x. 39 scribe scribe 4096 Sep 30 10:24 ..
drwx------.  2 scribe scribe 4096 Apr 27 14:19 .
-rw-r--r--.  1 scribe scribe 1938 Aug  9  2013 known_hosts
-rw-r--r--.  1 scribe scribe  610 Nov  4  2010 authorized_keys2


That's:
711 on your home folder
700 on your $HOME/.ssh
and 644 on $HOME/.ssh/authorized_keys2

Ownership and group need to be yours personally.

If you have questions or need help, please ask.

2) After everyone here is working well, we'll turn off password
authentication access via SSH.  I'll do a last on the server and see who
else is actively using the server over the past year and who isn't also
on our admins and private lists and let them know.  We'll keep keep all
accounts around for the remainder of the year and then archive off
anyone who hasn't accessed their account in 2015.

Reading about Linux botnets who grow via SSH brute force password hacks
has made it evidently clear that we should not allow password access via
SSH.

Martin Gruner (I believe he's still on one of these lists) wanted to
switch to key-based SSH login years ago, and I decided against it
because my thoughts were: If someone gets my device, they can login to
all system which have my public key authorized.  But now I am convinced
that this seems less likely than a brute force hack of any of a number
of ancient accounts on the server.

Also, it seems about time to clean things up a bit.

Hope everyone is well,

Troy