On 11/10/2015 10:30 AM, Alan McKinnon wrote: >> Maybe, but your argument isn't convincing. How am I better off doing it >> your way (what is your way)? > > The most common way is to disallow all remote logins as root. Admins log > in with their personal unpriv account using an ssh key. To become root > they must su or sudo -i with a password. > > Benefits: two factor auth using different mechanisms. Having the key or > the password is not enough to become root, an attacker must have both. > > Allowing root logins directly over the network is considered bad > practice, due to the "one mistake = you lose" aspect. >
It sounds good, but what sort of attack on my root password does the two-factor authentication prevent? Assume that I'm not an idiot and to brute-force my root password would take literally forever. I'm weighing this against the complexity of adding separate accounts, making sure that *those* are secure, risking breakage of the sudoers file, granting someone the ability to brute force my SSH key password offline,... All of the good attacks (shoot me, bribe me, steal the hardware, etc.) that I can think of work just fine against the two-factor auth. The only other way to get the root password is to be there when I transfer it from my brain to the terminal, in which case you have the SSH key, too.
