A few things:
(1) It is critically important to disallow password-authentication, because otherwise SSH will systematically offer weaker and weaker alternatives and will accept(!) the weakest one.
(2) Be sure to use individual keys, which can be individually identified and repudiated.
(3) Strongly consider encrypting the keys on the client machines, so that some impediment exists to anyone who manages to break-in to the client, and/or who steals key information from the client.
(4) Buttress your defenses with as many other defenses as you can, e.g. firewall rules. Insofar as possible, "don't even let Eve get close to that machine." Before she can try her key in the lock, she must first be able to reach the lock.
|