| 1 |
-----BEGIN PGP SIGNED MESSAGE-----
|
| 2 |
Hash: SHA512
|
| 3 |
|
| 4 |
On Fri, 14 Mar 2014 18:31:32 +0100
|
| 5 |
Thomas Sigurdsen <thomas.sigurdsen@×××××.com> wrote:
|
| 6 |
|
| 7 |
> -----BEGIN PGP SIGNED MESSAGE----- |
| 8 |
> Hash: SHA1 |
| 9 |
> |
| 10 |
> Hi list. |
| 11 |
> |
| 12 |
> I have for some time now been trying to avoid using passwords as much |
| 13 |
> as possible, preferring encryption keys instead (e.g. public private |
| 14 |
> key encryption like gpg and such). I have also started using longer |
| 15 |
> randomised passwords I shouldn't remember; storing them instead in a |
| 16 |
> safe place (e.g. encrypted memory card or flashdisk). |
| 17 |
> |
| 18 |
> So when setting up a new Gentoo machine today and being about to |
| 19 |
> enter a new root password I found myself wanting a way of doing |
| 20 |
> authentication through some other means than remembering a password, |
| 21 |
> like gpg or certificates. Does this exist; and if anyone has had |
| 22 |
> experience with it, is it worth the hassle? And if this is a bad way |
| 23 |
> of doing root authentication, why/how? |
| 24 |
|
| 25 |
You can use ssh keys (PK crypto) with ssh daemon if the access is over
|
| 26 |
network.
|
| 27 |
|
| 28 |
If you need to login physicaly at the machine, you could hack together
|
| 29 |
something that reads an inserted usb stick or memory card with a
|
| 30 |
symmetric key and then make the login.
|
| 31 |
|
| 32 |
In order to use the stick with PK crypto you would need to also hack
|
| 33 |
together a usb stick that act's as an USB gadget or USART and responds
|
| 34 |
to the challenge.
|
| 35 |
|
| 36 |
In any case, if someone can get physical access to the token, you are
|
| 37 |
screwed. To fix this, you would also need a way for the user to enter a
|
| 38 |
password on the token that's active for a short period of time.
|
| 39 |
|
| 40 |
But what problem did we want to solve in the first place? Anyway, might
|
| 41 |
be helpful when the token can be used with many/multiple systems.
|
| 42 |
|
| 43 |
> Also the machine in question will have more than one user and a subset |
| 44 |
> of the users shall have access to the root account. |
| 45 |
|
| 46 |
The requirement of shared root makes the strong authentication
|
| 47 |
requirement kinda dubious as that's (typically) insecure by default.
|
| 48 |
|
| 49 |
Also you might want to rather use sudo than granting root access.
|
| 50 |
|
| 51 |
> - -- |
| 52 |
> Thomas Sigurdsen |
| 53 |
> browniehive.net |
| 54 |
> -----BEGIN PGP SIGNATURE----- |
| 55 |
> Version: GnuPG v2.0.22 (GNU/Linux) |
| 56 |
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ |
| 57 |
> |
| 58 |
> iQEcBAEBAgAGBQJTIzzwAAoJEMUjE08Xv1s5uoAH/3v9b2LjOu2HFsCgjcThFFrn |
| 59 |
> 00bnxQRTsxLrtnltF6UKF0GBS3cs6vNRTevVCX9t8xOBRD8/ATp83U/tzx0EgYVP |
| 60 |
> 6LItUcbwdv41IcmVcPYqu8AzNRDyaUQswh8KV7Cpq3IPbhYkn5CkOlVorWEZxDrn |
| 61 |
> veuBJ7FEGHDppJDkdSAfNGlhtOL1UphuVy4M024NliGbNVqGgeo/42mmg21mLayG |
| 62 |
> js/5fG2NkT+Zgi59UY6+NHk08r6qk5qjhWXlsPjMrbGKaX483nNwLFHFxA8bNB6H |
| 63 |
> cZqB7GOxDlXi7dtcbBA3YRn1yKUtCDDiT8Gk/mKvTaiZtsORToAoinaxrT0y/Zo= |
| 64 |
> =iGQn |
| 65 |
> -----END PGP SIGNATURE----- |
| 66 |
> |
| 67 |
|
| 68 |
|
| 69 |
|
| 70 |
- ---
|
| 71 |
Jan Matějka | Developer
|
| 72 |
https://gentoo.org | Gentoo Linux
|
| 73 |
GPG: A33E F5BC A9F6 DAFD 2021 6FB6 3EBF D45B EEB6 CA8B
|
| 74 |
-----BEGIN PGP SIGNATURE-----
|
| 75 |
Version: GnuPG v2.0.22 (GNU/Linux)
|
| 76 |
|
| 77 |
iQEcBAEBCgAGBQJTI4iFAAoJEIN+7RD5ejahE/gH+wYfUaRKEqqkvg6nCTv4nwZa
|
| 78 |
YMDNF3Bg8Cn5xakSz762jjpaoTwsVEgIncoBv9jQtugtmv1KpfPhTP9EV8pZFTs+
|
| 79 |
Gynpz9hcaJWuN+ss0hmqeYukS9crvGYTkT1vnHgNOcM+pqgvm7wRwNvSjTSzovwc
|
| 80 |
5xGBbt4e4bt3XKp1rp2aysEXkC8FUjvZCm5E33VOd5KkXGX+WS3Q7SM0Ec7oMFi1
|
| 81 |
oz0wCAi4O3kAdAGsEZk5Z1tYIQzCmcc/vwOYkfGYTW4H00kbVmtmEJ7YjREA+q5X
|
| 82 |
jZFZEGZgEDIwtDHsexPfgX8U9r94p0IFBtiMyd8MP2RZNaVnIbuVoodZ3818X7I=
|
| 83 |
=i0Lq
|
| 84 |
-----END PGP SIGNATURE----- |
Archives