| 1 |
Michael Orlitzky <mjo@g.o> wrote: |
| 2 |
|
| 3 |
> On 11/10/2015 11:13 AM, J. Roeleveld wrote: |
| 4 |
> > |
| 5 |
> > What would take longer? |
| 6 |
> > brute-forcing your root-password or a 4096 byte ssh key? |
| 7 |
> > |
| 8 |
> |
| 9 |
> My password, by a lot. The password needs to be brute-forced over the |
| 10 |
> network, first of all. |
| 11 |
> |
| 12 |
> And a 4096-bit public encryption key doesn't provide 4096 bits of |
| 13 |
> security -- you're thinking of symmetric encryption. Regardless, if |
| 14 |
> someone is brute-forcing passwords, it would take them "twice" as long |
| 15 |
> to brute-force both my root password and the password on my SSH key as |
| 16 |
> it would to do the root password alone. I can do better than 2x by |
| 17 |
> adding a character to my password. And that's pointless, because it |
| 18 |
> would already take forever. No-more-Earth forever. |
| 19 |
> |
| 20 |
> |
| 21 |
> > |
| 22 |
> >> All of the good attacks (shoot me, bribe me, steal the hardware, |
| 23 |
> >> etc.) that I can think of work just fine against the two-factor |
| 24 |
> >> auth. The only other way to get the root password is to be there |
| 25 |
> >> when I transfer it from my brain to the terminal, in which case |
| 26 |
> >> you have the SSH key, too. |
| 27 |
> > |
| 28 |
> > The ssh-key is stored on your desktop/laptop. Secured with a |
| 29 |
> > passphrase. |
| 30 |
> > |
| 31 |
> |
| 32 |
> If my machine is compromised, the attacker can see both the SSH key |
| 33 |
> password when I type it, and the root password when I type that. |
| 34 |
|
| 35 |
That's right. If an attacker has the full control over your machine |
| 36 |
then it doesn't make any difference. |
| 37 |
|
| 38 |
But if he can only see what you are typing, for example by a keylogger |
| 39 |
or by detecting the electromagentic radiation of your keyboard or by |
| 40 |
watching your keyboard with a camera, then he can do nothing with the |
| 41 |
root password of your server when root login with password is forbidden. |
| 42 |
|
| 43 |
Just my two cents. ;-) |
| 44 |
|
| 45 |
-- |
| 46 |
Regards |
| 47 |
wabe |
Archives