On Tuesday, November 10, 2015 10:58:48 AM Michael Orlitzky wrote: > On 11/10/2015 10:30 AM, Alan McKinnon wrote: > >> Maybe, but your argument isn't convincing. How am I better off doing it > >> your way (what is your way)? > > > > The most common way is to disallow all remote logins as root. Admins log > > in with their personal unpriv account using an ssh key. To become root > > they must su or sudo -i with a password. > > > > Benefits: two factor auth using different mechanisms. Having the key or > > the password is not enough to become root, an attacker must have both. > > > > Allowing root logins directly over the network is considered bad > > practice, due to the "one mistake = you lose" aspect. > > It sounds good, but what sort of attack on my root password does the > two-factor authentication prevent? Assume that I'm not an idiot and to > brute-force my root password would take literally forever.
What would take longer? brute-forcing your root-password or a 4096 byte ssh key? > I'm weighing this against the complexity of adding separate accounts, > making sure that *those* are secure, risking breakage of the sudoers > file, granting someone the ability to brute force my SSH key password > offline,... You secure the seperate account using a ssh-key. The root-password will only work once logged in using the seperate account. > All of the good attacks (shoot me, bribe me, steal the hardware, etc.) > that I can think of work just fine against the two-factor auth. The only > other way to get the root password is to be there when I transfer it > from my brain to the terminal, in which case you have the SSH key, too. The ssh-key is stored on your desktop/laptop. Secured with a passphrase. -- Joost
