1 |
On 11/10/2015 10:30 AM, Alan McKinnon wrote: |
2 |
>> Maybe, but your argument isn't convincing. How am I better off doing it |
3 |
>> your way (what is your way)? |
4 |
> |
5 |
> The most common way is to disallow all remote logins as root. Admins log |
6 |
> in with their personal unpriv account using an ssh key. To become root |
7 |
> they must su or sudo -i with a password. |
8 |
> |
9 |
> Benefits: two factor auth using different mechanisms. Having the key or |
10 |
> the password is not enough to become root, an attacker must have both. |
11 |
> |
12 |
> Allowing root logins directly over the network is considered bad |
13 |
> practice, due to the "one mistake = you lose" aspect. |
14 |
> |
15 |
|
16 |
It sounds good, but what sort of attack on my root password does the |
17 |
two-factor authentication prevent? Assume that I'm not an idiot and to |
18 |
brute-force my root password would take literally forever. |
19 |
|
20 |
I'm weighing this against the complexity of adding separate accounts, |
21 |
making sure that *those* are secure, risking breakage of the sudoers |
22 |
file, granting someone the ability to brute force my SSH key password |
23 |
offline,... |
24 |
|
25 |
All of the good attacks (shoot me, bribe me, steal the hardware, etc.) |
26 |
that I can think of work just fine against the two-factor auth. The only |
27 |
other way to get the root password is to be there when I transfer it |
28 |
from my brain to the terminal, in which case you have the SSH key, too. |