| 1 |
Michael Orlitzky <mjo@g.o> wrote: |
| 2 |
|
| 3 |
> On 11/10/2015 03:52 PM, wabenbau@×××××.com wrote: |
| 4 |
> > |
| 5 |
> > That's right. If an attacker has the full control over your machine |
| 6 |
> > then it doesn't make any difference. |
| 7 |
> > |
| 8 |
> > But if he can only see what you are typing, for example by a |
| 9 |
> > keylogger or by detecting the electromagentic radiation of your |
| 10 |
> > keyboard or by watching your keyboard with a camera, then he can do |
| 11 |
> > nothing with the root password of your server when root login with |
| 12 |
> > password is forbidden. |
| 13 |
> > |
| 14 |
> |
| 15 |
> I said I would give up but I lied. |
| 16 |
> |
| 17 |
> The scenario that we're talking about has the user log in via an SSH |
| 18 |
> key to some server. Once he's logged in to the server, the user uses |
| 19 |
> "su" or "sudo" to become root. This requires that he type the root |
| 20 |
> password. So a keyboard camera would still obtain the password. |
| 21 |
> |
| 22 |
> If you never actually obtain root access, of course you are safe =) |
| 23 |
|
| 24 |
You can disable password login for that user on the server. Then he |
| 25 |
can only login via ssh key. Only with the knowledge of the root |
| 26 |
password it is not possible to gain root access to the server. An |
| 27 |
attacker also needs the ssh key. And with a camera, keylogger, or |
| 28 |
measuring radiation he can not fetch that key. |
| 29 |
|
| 30 |
-- |
| 31 |
Regards |
| 32 |
wabe |
Archives