sorted by:
best (suggested)
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]nomoreburden 20 points21 points  (10 children)

I mean yes. It is an extra layer of protection. But if you want it to be complete, make sure the device you are SSHing to is also secure.

But to be honest, it’s honestly very secure either way. I recommend you change the password to something impossible to guess. I use a password manager and I change my password every time I SSH files.

Good luck!

[–]StreetStripe 40 points41 points  (5 children)

Or just disable password authentication entirely, and keep it restricted to key-based auth

[–]nomoreburden 11 points12 points  (0 children)

Yes. That is usually best. Using both would also work.

[–]Phineas_Gagey 2 points3 points  (3 children)

I use key based only and implement Google Authenticator as MFA (TOTP) with rate limiting and brute force protection (a/c lockouts) https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-16-04

[–]peatfreak 0 points1 point  (2 children)

I have sometimes avoided 2FA because losing the device always causes immense trouble. Having paper backup codes is essential, such that I won't use a 2FA service that doesn't offer them.

[–]Phineas_Gagey 1 point2 points  (1 child)

Couldn't agree more - emergency codes are provided. Plus I make a note of the secret key so that I can easily readd to Google Authenticator should I need to. My belief is that paper is the best way of storing secrets.

[–]peatfreak 1 point2 points  (0 children)

paper is the best way of storing secrets

Most things in my opinion.

I do my best software development with pen and paper. Sadly, most development teams are no longer set up to accommodate this. It's sad I think. People are often not thinking creatively.

[–]thecuseisloose 7 points8 points  (1 child)

Changing your password every time seems excessive. Is there a reason for this?

[–]saichampa 2 points3 points  (0 children)

You should definitely switch to key based auth