gpg: Signature made Sun Mar 14 10:47:33 2010 UTC using DSA key ID BF15490B
gpg: Good signature from "Andy Smith <andy@strugglers.net>"
gpg: aka "Andrew James Smith <andy@strugglers.net>"
gpg: aka "Andy Smith (UKUUG) <andy.smith@ukuug.org>"
gpg: aka "Andy Smith (BitFolk Ltd.) <andy@bitfolk.com>"
gpg: aka "Andy Smith (Linux User Groups UK) <andy@lug.org.uk>"
gpg: aka "Andy Smith (Cernio Technology Cooperative) <andy.smith@cernio.com>"
Hi Darren,
On Sun, Mar 14, 2010 at 10:34:54AM +0000, Darren Davison wrote:
> On Sun, Mar 14, 2010 at 09:25:39AM +0000, Kai Hendry wrote:
> > 'PasswordAuthentication no' and ssh keys is the right solution. If a
> > customer can't figure out how to generate an ssh key with puttgen or
> > ssh-keygen, I wouldn't take them.
>
> Frankly, I agree with Kai. If you can't figure out SSH keys, you have
> no business whatsoever running public SSH (or any other) services on the
> Internet.
Very few customers ask for provision with an SSH key. Of the
requests to set up rsync-over-ssh backups I've dealt with, many of
them involve a lot of back and forth because the customer was unable
to set up authentication by SSH key. A couple of people actually
gave up setting up backups because they couldn't figure it out. :/
Less than half of BitFolk's customer base is represented on this
mailing list, despite it saying at the bottom of the provisioning
email that you really should be on this list to hear about stuff.
All of this leads me to believe a few things:
- Most of BitFolk's customers are looking for personal hosting.
- They're not experienced sysadmins.
- They don't use SSH key auth.
- The people on this list are more into sysadmin than the average
BitFolk customer, and more likely to understand why they should be
using SSH keys.
I have had a poor success rate with enforced learning, and to me it
feels like it's going to be a real turn off for the average customer
if they find out they have to learn about SSH keys in order to buy a
VPS.
(this doesn't change the fact that I think that almost everyone
should be using SSH keys)
Do we know of any other VPS business that requires SSH key login? I
am aware of Steve Kemp's servers but I wouldn't really class them as
VPS businesses and that is pitched at much more technically adept
folks.
> On my network at home, I have key-only, no root login, and use Fail2Ban
> (with other services too, not just ssh). It's worked perfectly well for
> me for years. Fail2Ban might be too resource hungry on a busy machine
> though.
Like a lot of best practices, it's simple, effective and not widely
used due to ignorance/laziness.
The average BitFolk customer does not have backups or a firewall,
either. I can't even give away backups.
Cheers,
Andy
