1 |
On 11/10/2015 11:13 AM, J. Roeleveld wrote: |
2 |
> |
3 |
> What would take longer? |
4 |
> brute-forcing your root-password or a 4096 byte ssh key? |
5 |
> |
6 |
|
7 |
My password, by a lot. The password needs to be brute-forced over the |
8 |
network, first of all. |
9 |
|
10 |
And a 4096-bit public encryption key doesn't provide 4096 bits of |
11 |
security -- you're thinking of symmetric encryption. Regardless, if |
12 |
someone is brute-forcing passwords, it would take them "twice" as long |
13 |
to brute-force both my root password and the password on my SSH key as |
14 |
it would to do the root password alone. I can do better than 2x by |
15 |
adding a character to my password. And that's pointless, because it |
16 |
would already take forever. No-more-Earth forever. |
17 |
|
18 |
|
19 |
> |
20 |
>> All of the good attacks (shoot me, bribe me, steal the hardware, etc.) |
21 |
>> that I can think of work just fine against the two-factor auth. The only |
22 |
>> other way to get the root password is to be there when I transfer it |
23 |
>> from my brain to the terminal, in which case you have the SSH key, too. |
24 |
> |
25 |
> The ssh-key is stored on your desktop/laptop. Secured with a passphrase. |
26 |
> |
27 |
|
28 |
If my machine is compromised, the attacker can see both the SSH key |
29 |
password when I type it, and the root password when I type that. |