On 11/10/2015 11:13 AM, J. Roeleveld wrote: > > What would take longer? > brute-forcing your root-password or a 4096 byte ssh key? >
My password, by a lot. The password needs to be brute-forced over the network, first of all. And a 4096-bit public encryption key doesn't provide 4096 bits of security -- you're thinking of symmetric encryption. Regardless, if someone is brute-forcing passwords, it would take them "twice" as long to brute-force both my root password and the password on my SSH key as it would to do the root password alone. I can do better than 2x by adding a character to my password. And that's pointless, because it would already take forever. No-more-Earth forever. > >> All of the good attacks (shoot me, bribe me, steal the hardware, etc.) >> that I can think of work just fine against the two-factor auth. The only >> other way to get the root password is to be there when I transfer it >> from my brain to the terminal, in which case you have the SSH key, too. > > The ssh-key is stored on your desktop/laptop. Secured with a passphrase. > If my machine is compromised, the attacker can see both the SSH key password when I type it, and the root password when I type that.