1 |
On Tuesday, November 10, 2015 10:58:48 AM Michael Orlitzky wrote: |
2 |
> On 11/10/2015 10:30 AM, Alan McKinnon wrote: |
3 |
> >> Maybe, but your argument isn't convincing. How am I better off doing it |
4 |
> >> your way (what is your way)? |
5 |
> > |
6 |
> > The most common way is to disallow all remote logins as root. Admins log |
7 |
> > in with their personal unpriv account using an ssh key. To become root |
8 |
> > they must su or sudo -i with a password. |
9 |
> > |
10 |
> > Benefits: two factor auth using different mechanisms. Having the key or |
11 |
> > the password is not enough to become root, an attacker must have both. |
12 |
> > |
13 |
> > Allowing root logins directly over the network is considered bad |
14 |
> > practice, due to the "one mistake = you lose" aspect. |
15 |
> |
16 |
> It sounds good, but what sort of attack on my root password does the |
17 |
> two-factor authentication prevent? Assume that I'm not an idiot and to |
18 |
> brute-force my root password would take literally forever. |
19 |
|
20 |
What would take longer? |
21 |
brute-forcing your root-password or a 4096 byte ssh key? |
22 |
|
23 |
> I'm weighing this against the complexity of adding separate accounts, |
24 |
> making sure that *those* are secure, risking breakage of the sudoers |
25 |
> file, granting someone the ability to brute force my SSH key password |
26 |
> offline,... |
27 |
|
28 |
You secure the seperate account using a ssh-key. |
29 |
The root-password will only work once logged in using the seperate account. |
30 |
|
31 |
> All of the good attacks (shoot me, bribe me, steal the hardware, etc.) |
32 |
> that I can think of work just fine against the two-factor auth. The only |
33 |
> other way to get the root password is to be there when I transfer it |
34 |
> from my brain to the terminal, in which case you have the SSH key, too. |
35 |
|
36 |
The ssh-key is stored on your desktop/laptop. Secured with a passphrase. |
37 |
|
38 |
-- |
39 |
Joost |