Every time I spin up a box by hand (which isn't often), I'll set up a sudo user ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		ljm on Oct 6, 2023 \| parent \| context \| favorite \| on: Fail2Ban Every time I spin up a box by hand (which isn't often), I'll set up a sudo user with my SSH key, then drop out of the root shell and log back in as the new user. Only then will I disable root login and password auth over SSH and start setting up fail2ban and the like. If I lose access by, say, switching to a new computer and losing my SSH key, then I'm more or less dead in the water. But it's a small price to pay and 1password supports SSH keys first-class now.

seanp2k2 on Oct 6, 2023 [–]

at that point, why not just do FIDO2 with a YubiKey or something? eg https://www.ajfriesen.com/yubikey-ssh-key/ as long as you don't lose the YubiKey or the backup YubiKeys you're good.

ljm on Oct 6, 2023 | [–]

I have one but getting it to work over WSL2 is a challenge

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact