1 |
-----BEGIN PGP SIGNED MESSAGE-----
|
2 |
Hash: SHA512
|
3 |
|
4 |
On Fri, 14 Mar 2014 18:31:32 +0100
|
5 |
Thomas Sigurdsen <thomas.sigurdsen@×××××.com> wrote:
|
6 |
|
7 |
> -----BEGIN PGP SIGNED MESSAGE----- |
8 |
> Hash: SHA1 |
9 |
> |
10 |
> Hi list. |
11 |
> |
12 |
> I have for some time now been trying to avoid using passwords as much |
13 |
> as possible, preferring encryption keys instead (e.g. public private |
14 |
> key encryption like gpg and such). I have also started using longer |
15 |
> randomised passwords I shouldn't remember; storing them instead in a |
16 |
> safe place (e.g. encrypted memory card or flashdisk). |
17 |
> |
18 |
> So when setting up a new Gentoo machine today and being about to |
19 |
> enter a new root password I found myself wanting a way of doing |
20 |
> authentication through some other means than remembering a password, |
21 |
> like gpg or certificates. Does this exist; and if anyone has had |
22 |
> experience with it, is it worth the hassle? And if this is a bad way |
23 |
> of doing root authentication, why/how? |
24 |
|
25 |
You can use ssh keys (PK crypto) with ssh daemon if the access is over
|
26 |
network.
|
27 |
|
28 |
If you need to login physicaly at the machine, you could hack together
|
29 |
something that reads an inserted usb stick or memory card with a
|
30 |
symmetric key and then make the login.
|
31 |
|
32 |
In order to use the stick with PK crypto you would need to also hack
|
33 |
together a usb stick that act's as an USB gadget or USART and responds
|
34 |
to the challenge.
|
35 |
|
36 |
In any case, if someone can get physical access to the token, you are
|
37 |
screwed. To fix this, you would also need a way for the user to enter a
|
38 |
password on the token that's active for a short period of time.
|
39 |
|
40 |
But what problem did we want to solve in the first place? Anyway, might
|
41 |
be helpful when the token can be used with many/multiple systems.
|
42 |
|
43 |
> Also the machine in question will have more than one user and a subset |
44 |
> of the users shall have access to the root account. |
45 |
|
46 |
The requirement of shared root makes the strong authentication
|
47 |
requirement kinda dubious as that's (typically) insecure by default.
|
48 |
|
49 |
Also you might want to rather use sudo than granting root access.
|
50 |
|
51 |
> - -- |
52 |
> Thomas Sigurdsen |
53 |
> browniehive.net |
54 |
> -----BEGIN PGP SIGNATURE----- |
55 |
> Version: GnuPG v2.0.22 (GNU/Linux) |
56 |
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ |
57 |
> |
58 |
> iQEcBAEBAgAGBQJTIzzwAAoJEMUjE08Xv1s5uoAH/3v9b2LjOu2HFsCgjcThFFrn |
59 |
> 00bnxQRTsxLrtnltF6UKF0GBS3cs6vNRTevVCX9t8xOBRD8/ATp83U/tzx0EgYVP |
60 |
> 6LItUcbwdv41IcmVcPYqu8AzNRDyaUQswh8KV7Cpq3IPbhYkn5CkOlVorWEZxDrn |
61 |
> veuBJ7FEGHDppJDkdSAfNGlhtOL1UphuVy4M024NliGbNVqGgeo/42mmg21mLayG |
62 |
> js/5fG2NkT+Zgi59UY6+NHk08r6qk5qjhWXlsPjMrbGKaX483nNwLFHFxA8bNB6H |
63 |
> cZqB7GOxDlXi7dtcbBA3YRn1yKUtCDDiT8Gk/mKvTaiZtsORToAoinaxrT0y/Zo= |
64 |
> =iGQn |
65 |
> -----END PGP SIGNATURE----- |
66 |
> |
67 |
|
68 |
|
69 |
|
70 |
- ---
|
71 |
Jan Matějka | Developer
|
72 |
https://gentoo.org | Gentoo Linux
|
73 |
GPG: A33E F5BC A9F6 DAFD 2021 6FB6 3EBF D45B EEB6 CA8B
|
74 |
-----BEGIN PGP SIGNATURE-----
|
75 |
Version: GnuPG v2.0.22 (GNU/Linux)
|
76 |
|
77 |
iQEcBAEBCgAGBQJTI4iFAAoJEIN+7RD5ejahE/gH+wYfUaRKEqqkvg6nCTv4nwZa
|
78 |
YMDNF3Bg8Cn5xakSz762jjpaoTwsVEgIncoBv9jQtugtmv1KpfPhTP9EV8pZFTs+
|
79 |
Gynpz9hcaJWuN+ss0hmqeYukS9crvGYTkT1vnHgNOcM+pqgvm7wRwNvSjTSzovwc
|
80 |
5xGBbt4e4bt3XKp1rp2aysEXkC8FUjvZCm5E33VOd5KkXGX+WS3Q7SM0Ec7oMFi1
|
81 |
oz0wCAi4O3kAdAGsEZk5Z1tYIQzCmcc/vwOYkfGYTW4H00kbVmtmEJ7YjREA+q5X
|
82 |
jZFZEGZgEDIwtDHsexPfgX8U9r94p0IFBtiMyd8MP2RZNaVnIbuVoodZ3818X7I=
|
83 |
=i0Lq
|
84 |
-----END PGP SIGNATURE----- |