On Mon, Nov 9, 2015 at 8:38 PM, Michael Orlitzky wrote:
> A major upgrade to OpenSSH is being stabilized:
>
> https://bugs.gentoo.org/show_bug.cgi?id=18
>
> The default of PermitRootLogin for sshd in the new version is
> "prohibit-password". If you typically log in to the
On 11/10/2015 11:13 AM, J. Roeleveld wrote:
>
> What would take longer?
> brute-forcing your root-password or a 4096 byte ssh key?
>
My password, by a lot. The password needs to be brute-forced over the
network, first of all.
And a 4096-bit public encryption key doesn't provide 4096 bits of
On 11/10/2015 10:30 AM, Alan McKinnon wrote:
>> Maybe, but your argument isn't convincing. How am I better off doing it
>> your way (what is your way)?
>
> The most common way is to disallow all remote logins as root. Admins log
> in with their personal unpriv account using an ssh key. To become
On Tuesday, November 10, 2015 10:58:48 AM Michael Orlitzky wrote:
> On 11/10/2015 10:30 AM, Alan McKinnon wrote:
> >> Maybe, but your argument isn't convincing. How am I better off doing it
> >> your way (what is your way)?
> >
> > The most common way is to disallow all remote logins as root.
On 10/11/2015 16:47, Michael Orlitzky wrote:
> On 11/09/2015 10:26 PM, Jeff Smelser wrote:
>>
>> The question is, why would you want root login? If your still using it,
>> your doing it wrong.
>
> Maybe, but your argument isn't convincing. How am I better off doing it
> your way (what is your
On 11/09/2015 10:26 PM, Jeff Smelser wrote:
>
> The question is, why would you want root login? If your still using it,
> your doing it wrong.
Maybe, but your argument isn't convincing. How am I better off doing it
your way (what is your way)?
On Tue, Nov 10, 2015 at 11:55 AM, Michael Orlitzky wrote:
> On 11/10/2015 01:26 PM, Alan McKinnon wrote:
> >
> > I think you are approaching this problem from the wrong viewpoint. You
> > have to assume an attacker has vastly more resources to bear on the
> > problem than you
On 11/10/2015 09:25 PM, Michael Orlitzky wrote:
> On 11/10/2015 02:23 PM, Stanislav Nikolov wrote:
>> Are you sure you know how such keys work? An extremely 15 character
>> password (Upper case, lower case, numbers, 8 more symbols) gives you
>> ~4747561509943000 combinations. Just a
On 10/11/2015 17:58, Michael Orlitzky wrote:
> On 11/10/2015 10:30 AM, Alan McKinnon wrote:
>>> Maybe, but your argument isn't convincing. How am I better off doing it
>>> your way (what is your way)?
>>
>> The most common way is to disallow all remote logins as root. Admins log
>> in with their
On 11/10/2015 01:26 PM, Alan McKinnon wrote:
>
> I think you are approaching this problem from the wrong viewpoint. You
> have to assume an attacker has vastly more resources to bear on the
> problem than you have. Thanks to Amazon and the cloud, this is now a
> very true reality. Brute force
On 11/10/2015 11:26 AM, Michael Orlitzky wrote:
> On 11/10/2015 11:13 AM, J. Roeleveld wrote:
>>
>> What would take longer?
>> brute-forcing your root-password or a 4096 byte ssh key?
>>
>
> My password, by a lot. The password needs to be brute-forced over the
> network, first of all.
I realized
I am going to stop this convo. As soon as you say it cant be brute forced,
I am going to move on.
Good luck with that.
On Tue, Nov 10, 2015 at 12:17 PM, Michael Orlitzky wrote:
> On 11/10/2015 02:00 PM, Jeff Smelser wrote:
> >
> > I guess from this your assuming that everyones
On 11/10/2015 02:23 PM, Stanislav Nikolov wrote:
>
>
> On 11/10/2015 09:17 PM, Michael Orlitzky wrote:
>> On 11/10/2015 02:00 PM, Jeff Smelser wrote:
>>> I guess from this your assuming that everyones passwords that
>>> have been hacked are god, birthdays and such?
>>>
>> Again: assume that I'm
On 11/10/2015 02:23 PM, Stanislav Nikolov wrote:
>>
> Are you sure you know how such keys work? An extremely 15 character
> password (Upper case, lower case, numbers, 8 more symbols) gives you
> ~4747561509943000 combinations. Just a simple 2048 bit
> key on the other hand (~180 of
On 11/10/2015 02:00 PM, Jeff Smelser wrote:
>
> I guess from this your assuming that everyones passwords that have been
> hacked are god, birthdays and such?
>
Again: assume that I'm not an idiot, and that I know how to choose a
long, random password. It cannot be brute-forced. And if it could,
On 11/10/2015 09:17 PM, Michael Orlitzky wrote:
> On 11/10/2015 02:00 PM, Jeff Smelser wrote:
>> I guess from this your assuming that everyones passwords that have been
>> hacked are god, birthdays and such?
>>
> Again: assume that I'm not an idiot, and that I know how to choose a
> long, random
On 11/10/2015 09:31 PM, Michael Orlitzky wrote:
> On 11/10/2015 02:23 PM, Stanislav Nikolov wrote:
>>
>> On 11/10/2015 09:17 PM, Michael Orlitzky wrote:
>>> On 11/10/2015 02:00 PM, Jeff Smelser wrote:
I guess from this your assuming that everyones passwords that
have been hacked are
Michael Orlitzky wrote:
> On 11/10/2015 11:13 AM, J. Roeleveld wrote:
> >
> > What would take longer?
> > brute-forcing your root-password or a 4096 byte ssh key?
> >
>
> My password, by a lot. The password needs to be brute-forced over the
> network, first of all.
>
> And a
On 11/10/2015 02:32 PM, Stanislav Nikolov wrote:
>
>
> On 11/10/2015 09:25 PM, Michael Orlitzky wrote:
>> On 11/10/2015 02:23 PM, Stanislav Nikolov wrote:
>>> Are you sure you know how such keys work? An extremely 15 character
>>> password (Upper case, lower case, numbers, 8 more symbols) gives
On 11/10/2015 04:11 PM, waben...@gmail.com wrote:
>
> You can disable password login for that user on the server. Then he
> can only login via ssh key. Only with the knowledge of the root
> password it is not possible to gain root access to the server. An
> attacker also needs the ssh key. And
Michael Orlitzky wrote:
> On 11/10/2015 04:11 PM, waben...@gmail.com wrote:
>> You can disable password login for that user on the server. Then he
>> can only login via ssh key. Only with the knowledge of the root
>> password it is not possible to gain root access to the server. An
>> attacker
Again, your not understanding that brute force is not entirely how you
think it works. As a former employee of a large tech company. They are much
more cunning how they do it these days..
If you wanted to break into an account, would you really start with a and
work your way up?
Come on.
Michael Orlitzky wrote:
> On 11/10/2015 03:52 PM, waben...@gmail.com wrote:
> >
> > That's right. If an attacker has the full control over your machine
> > then it doesn't make any difference.
> >
> > But if he can only see what you are typing, for example by a
> > keylogger
On 11/10/2015 03:52 PM, waben...@gmail.com wrote:
>
> That's right. If an attacker has the full control over your machine
> then it doesn't make any difference.
>
> But if he can only see what you are typing, for example by a keylogger
> or by detecting the electromagentic radiation of your
Hello, Jeff.
On Mon, Nov 09, 2015 at 08:26:27PM -0700, Jeff Smelser wrote:
> On Mon, Nov 9, 2015 at 6:38 PM, Michael Orlitzky wrote:
> > A major upgrade to OpenSSH is being stabilized:
> > https://bugs.gentoo.org/show_bug.cgi?id=18
> > The default of PermitRootLogin for
On Tue, 10 Nov 2015 09:53:52 +, Alan Mackenzie wrote:
> By the way, anybody, what's the alternative to a password login when you
> need to login remotely as root?
key login, set "PermitRootLogin without-password" and add your public
keys to .ssh/authorized_keys
--
Neil Bothwick
WINDOWS:
On 10/11/2015 11:53, Alan Mackenzie wrote:
Hello, Jeff.
On Mon, Nov 09, 2015 at 08:26:27PM -0700, Jeff Smelser wrote:
On Mon, Nov 9, 2015 at 6:38 PM, Michael Orlitzky wrote:
A major upgrade to OpenSSH is being stabilized:
Dale wrote:
> Michael Orlitzky wrote:
> > On 11/10/2015 04:11 PM, waben...@gmail.com wrote:
> >> You can disable password login for that user on the server. Then
> >> he can only login via ssh key. Only with the knowledge of the root
> >> password it is not possible to gain
On Mon, Nov 09, 2015 at 08:38:20PM -0500, Michael Orlitzky wrote
> A major upgrade to OpenSSH is being stabilized:
>
> https://bugs.gentoo.org/show_bug.cgi?id=18
>
> The default of PermitRootLogin for sshd in the new version is
> "prohibit-password". If you typically log in to the root
A major upgrade to OpenSSH is being stabilized:
https://bugs.gentoo.org/show_bug.cgi?id=18
The default of PermitRootLogin for sshd in the new version is
"prohibit-password". If you typically log in to the root account over
SSH using a password, **IT'S GONNA BREAK**, and you won't be able
On Mon, Nov 9, 2015 at 6:38 PM, Michael Orlitzky wrote:
> A major upgrade to OpenSSH is being stabilized:
>
> https://bugs.gentoo.org/show_bug.cgi?id=18
>
> The default of PermitRootLogin for sshd in the new version is
> "prohibit-password". If you typically log in to the
31 matches
Mail list logo