| 1 |
On 11/10/2015 11:13 AM, J. Roeleveld wrote: |
| 2 |
> |
| 3 |
> What would take longer? |
| 4 |
> brute-forcing your root-password or a 4096 byte ssh key? |
| 5 |
> |
| 6 |
|
| 7 |
My password, by a lot. The password needs to be brute-forced over the |
| 8 |
network, first of all. |
| 9 |
|
| 10 |
And a 4096-bit public encryption key doesn't provide 4096 bits of |
| 11 |
security -- you're thinking of symmetric encryption. Regardless, if |
| 12 |
someone is brute-forcing passwords, it would take them "twice" as long |
| 13 |
to brute-force both my root password and the password on my SSH key as |
| 14 |
it would to do the root password alone. I can do better than 2x by |
| 15 |
adding a character to my password. And that's pointless, because it |
| 16 |
would already take forever. No-more-Earth forever. |
| 17 |
|
| 18 |
|
| 19 |
> |
| 20 |
>> All of the good attacks (shoot me, bribe me, steal the hardware, etc.) |
| 21 |
>> that I can think of work just fine against the two-factor auth. The only |
| 22 |
>> other way to get the root password is to be there when I transfer it |
| 23 |
>> from my brain to the terminal, in which case you have the SSH key, too. |
| 24 |
> |
| 25 |
> The ssh-key is stored on your desktop/laptop. Secured with a passphrase. |
| 26 |
> |
| 27 |
|
| 28 |
If my machine is compromised, the attacker can see both the SSH key |
| 29 |
password when I type it, and the root password when I type that. |
Archives