| 1 |
On 11/10/2015 10:30 AM, Alan McKinnon wrote: |
| 2 |
>> Maybe, but your argument isn't convincing. How am I better off doing it |
| 3 |
>> your way (what is your way)? |
| 4 |
> |
| 5 |
> The most common way is to disallow all remote logins as root. Admins log |
| 6 |
> in with their personal unpriv account using an ssh key. To become root |
| 7 |
> they must su or sudo -i with a password. |
| 8 |
> |
| 9 |
> Benefits: two factor auth using different mechanisms. Having the key or |
| 10 |
> the password is not enough to become root, an attacker must have both. |
| 11 |
> |
| 12 |
> Allowing root logins directly over the network is considered bad |
| 13 |
> practice, due to the "one mistake = you lose" aspect. |
| 14 |
> |
| 15 |
|
| 16 |
It sounds good, but what sort of attack on my root password does the |
| 17 |
two-factor authentication prevent? Assume that I'm not an idiot and to |
| 18 |
brute-force my root password would take literally forever. |
| 19 |
|
| 20 |
I'm weighing this against the complexity of adding separate accounts, |
| 21 |
making sure that *those* are secure, risking breakage of the sudoers |
| 22 |
file, granting someone the ability to brute force my SSH key password |
| 23 |
offline,... |
| 24 |
|
| 25 |
All of the good attacks (shoot me, bribe me, steal the hardware, etc.) |
| 26 |
that I can think of work just fine against the two-factor auth. The only |
| 27 |
other way to get the root password is to be there when I transfer it |
| 28 |
from my brain to the terminal, in which case you have the SSH key, too. |
Archives