| 1 |
On Tuesday, November 10, 2015 10:58:48 AM Michael Orlitzky wrote: |
| 2 |
> On 11/10/2015 10:30 AM, Alan McKinnon wrote: |
| 3 |
> >> Maybe, but your argument isn't convincing. How am I better off doing it |
| 4 |
> >> your way (what is your way)? |
| 5 |
> > |
| 6 |
> > The most common way is to disallow all remote logins as root. Admins log |
| 7 |
> > in with their personal unpriv account using an ssh key. To become root |
| 8 |
> > they must su or sudo -i with a password. |
| 9 |
> > |
| 10 |
> > Benefits: two factor auth using different mechanisms. Having the key or |
| 11 |
> > the password is not enough to become root, an attacker must have both. |
| 12 |
> > |
| 13 |
> > Allowing root logins directly over the network is considered bad |
| 14 |
> > practice, due to the "one mistake = you lose" aspect. |
| 15 |
> |
| 16 |
> It sounds good, but what sort of attack on my root password does the |
| 17 |
> two-factor authentication prevent? Assume that I'm not an idiot and to |
| 18 |
> brute-force my root password would take literally forever. |
| 19 |
|
| 20 |
What would take longer? |
| 21 |
brute-forcing your root-password or a 4096 byte ssh key? |
| 22 |
|
| 23 |
> I'm weighing this against the complexity of adding separate accounts, |
| 24 |
> making sure that *those* are secure, risking breakage of the sudoers |
| 25 |
> file, granting someone the ability to brute force my SSH key password |
| 26 |
> offline,... |
| 27 |
|
| 28 |
You secure the seperate account using a ssh-key. |
| 29 |
The root-password will only work once logged in using the seperate account. |
| 30 |
|
| 31 |
> All of the good attacks (shoot me, bribe me, steal the hardware, etc.) |
| 32 |
> that I can think of work just fine against the two-factor auth. The only |
| 33 |
> other way to get the root password is to be there when I transfer it |
| 34 |
> from my brain to the terminal, in which case you have the SSH key, too. |
| 35 |
|
| 36 |
The ssh-key is stored on your desktop/laptop. Secured with a passphrase. |
| 37 |
|
| 38 |
-- |
| 39 |
Joost |
Archives