I am worried that the linode manager is the least secure part of my setup.

I would like to see some more advanced authentication for the manager.

Another option would be to require a second password to delete a node or modify lish access etc.

Maybe offer RSA SecurIDs tags? I would be willing to pay more for more security.

Does anyone else have any concerns? or suggestions?

Yeah, a SecurID setup would be nice. Bonus if it could use the same authenticator I use with Blizzard!

I'll second that . I'll be happy to pay for it, within reasonable limits of course .....

I think that this would be a valuable additional service for Linode to offer. We use SecurID for all our VPNs at work and I can recommend it. However, it is not cheap.

_________________
/ Peter

Needing to re-enter the password, or a secondary "superadmin" password to delete a node would be good anyway, and not just for security.

My feeling is that the weakest point isn't the web interface, it's the SSH access through the host (Lish). For example, if you ever set up a Lish password, you can't disable password authentication.

A while ago I submitted a feature request asking if Lish could be disabled entirely using an option in the Web interface. I'd just log in and enable it as needed for a particular node, but at least it would close a door that is not typically needed. I can only imagine how many SSH brute force attempts Linodes see every day...

Another idea to improve web interface security would be to add a secondary authentication method, such as a set of images or passphrases. Such two-stage authentication is good enough for online banking, but still simpler and cheaper than the crypto cards.

The web interface may not be the weakest link but it is all-powerful - once you're in, there's nothing you can't do.

Best way to secure Lish - use Lish keys and then set your Lish password to be as long and obscure as possible - you'll not be using it unless you screw your keys so 16 characters of gibberish is ok.

_________________
/ Peter

I set up an ssh key that has a pass phrase. That's technically two-factor authentication because it's something you have to have (the key file) and something you know (the pass phrase).

To effectively disable the password, generate a random password, paste it in there, forget it, never use it. Yeah, would be best if it could be disabled though if not needed.

I disabled password auths on my sshd_config as well. That thing is constantly getting nailed by dict attackers.