I have a small network of servers and I would like to increase the general security. I don't have enough time/money/paranoia to set up a VPN — what's a basic way I can increase the security of my system?
One thing could be to require that users both send their key and enter a password. This is kinda hard to google for because everything about "ssh key password" is about sshing without a password. 🙂
One scheme I've always wanted to toy with is requiring that incoming connections only come from a whitelist of dyndns ip addresses. I know some security heads would vomit at the thought of the idea, but the fact of the matter is it would add very significant complexity to exploit a box.
What do you think? What else is out there?
Best Answer
The login with password and key is the same as "just with key". During the key creation, you are asked to enter passphrase. If you leave it blank, you won't be asked for a password. If you fill some passphrase, you'll be asked for it everytime when you want to login.
If you are concerned about security, consider some of these advices mentioned trillion times in this forum:
Etc, etc.
Update: Please refer to the answer here for how to require both a public key and local system password with an OpenSSH server.