ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
An organization uses a public AWS Linux bastion host for administrators worldwide. Security policy states that no long-term credentials may reside on user laptops, and remote shell sessions must remain confidential and tamper-proof when crossing the Internet. Which SSH configuration approach best meets these requirements while minimizing ongoing administrative overhead?
Issue each administrator a long-lived 4096-bit RSA key pair, store private keys on their laptops, and disable password authentication.
Replace SSH with Telnet tunneled through an SSL VPN terminated on the bastion to gain end-to-end encryption.
Configure the bastion to accept only SSH protocol 2 and require authentication with short-lived, CA-signed user certificates issued on demand; disable password and static key logins.
Permit SSH protocol 1 but enforce complex passwords and enable fail2ban to block repeated login attempts.
Using SSH certificate-based authentication with short-lived certificates satisfies the requirement that no persistent credentials remain on laptops, because the private key is generated transiently and discarded after use. Disabling both password and static public-key logins eliminates the risk of stolen or weak credentials being replayed. SSH in protocol 2 already negotiates strong, integrity-protected encryption, so session confidentiality and tamper resistance are preserved. Long-lived personal key pairs still constitute permanent credentials, password authentication is vulnerable to brute-force and credential reuse, and Telnet-even inside an SSL VPN-adds unnecessary complexity while still exposing Telnet's inherent weaknesses. Therefore, limiting access to SSH protocol 2 and using on-demand, CA-signed user certificates with no static credentials offers the strongest security with less day-to-day key management burden.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is SSH protocol 2 preferred over protocol 1?
Open an interactive chat with Bash
What are CA-signed certificates in SSH and why are they useful?
Open an interactive chat with Bash
Why is Telnet not a secure replacement for SSH even when tunneled through SSL?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Cryptography
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .