1 |
Michael Orlitzky <mjo@g.o> wrote: |
2 |
|
3 |
> On 11/10/2015 11:13 AM, J. Roeleveld wrote: |
4 |
> > |
5 |
> > What would take longer? |
6 |
> > brute-forcing your root-password or a 4096 byte ssh key? |
7 |
> > |
8 |
> |
9 |
> My password, by a lot. The password needs to be brute-forced over the |
10 |
> network, first of all. |
11 |
> |
12 |
> And a 4096-bit public encryption key doesn't provide 4096 bits of |
13 |
> security -- you're thinking of symmetric encryption. Regardless, if |
14 |
> someone is brute-forcing passwords, it would take them "twice" as long |
15 |
> to brute-force both my root password and the password on my SSH key as |
16 |
> it would to do the root password alone. I can do better than 2x by |
17 |
> adding a character to my password. And that's pointless, because it |
18 |
> would already take forever. No-more-Earth forever. |
19 |
> |
20 |
> |
21 |
> > |
22 |
> >> All of the good attacks (shoot me, bribe me, steal the hardware, |
23 |
> >> etc.) that I can think of work just fine against the two-factor |
24 |
> >> auth. The only other way to get the root password is to be there |
25 |
> >> when I transfer it from my brain to the terminal, in which case |
26 |
> >> you have the SSH key, too. |
27 |
> > |
28 |
> > The ssh-key is stored on your desktop/laptop. Secured with a |
29 |
> > passphrase. |
30 |
> > |
31 |
> |
32 |
> If my machine is compromised, the attacker can see both the SSH key |
33 |
> password when I type it, and the root password when I type that. |
34 |
|
35 |
That's right. If an attacker has the full control over your machine |
36 |
then it doesn't make any difference. |
37 |
|
38 |
But if he can only see what you are typing, for example by a keylogger |
39 |
or by detecting the electromagentic radiation of your keyboard or by |
40 |
watching your keyboard with a camera, then he can do nothing with the |
41 |
root password of your server when root login with password is forbidden. |
42 |
|
43 |
Just my two cents. ;-) |
44 |
|
45 |
-- |
46 |
Regards |
47 |
wabe |