Re: [gentoo-user] OpenSSH upgrade warning

On Mon, Nov 9, 2015 at 8:38 PM, Michael Orlitzky wrote: > A major upgrade to OpenSSH is being stabilized: > > https://bugs.gentoo.org/show_bug.cgi?id=18 > > The default of PermitRootLogin for sshd in the new version is > "prohibit-password". If you typically log in to the

Re: [gentoo-user] OpenSSH upgrade warning

On 11/10/2015 11:13 AM, J. Roeleveld wrote: > > What would take longer? > brute-forcing your root-password or a 4096 byte ssh key? > My password, by a lot. The password needs to be brute-forced over the network, first of all. And a 4096-bit public encryption key doesn't provide 4096 bits of

Re: [gentoo-user] OpenSSH upgrade warning

On 11/10/2015 10:30 AM, Alan McKinnon wrote: >> Maybe, but your argument isn't convincing. How am I better off doing it >> your way (what is your way)? > > The most common way is to disallow all remote logins as root. Admins log > in with their personal unpriv account using an ssh key. To become

Re: [gentoo-user] OpenSSH upgrade warning

On Tuesday, November 10, 2015 10:58:48 AM Michael Orlitzky wrote: > On 11/10/2015 10:30 AM, Alan McKinnon wrote: > >> Maybe, but your argument isn't convincing. How am I better off doing it > >> your way (what is your way)? > > > > The most common way is to disallow all remote logins as root.

Re: [gentoo-user] OpenSSH upgrade warning

On 10/11/2015 16:47, Michael Orlitzky wrote: > On 11/09/2015 10:26 PM, Jeff Smelser wrote: >> >> The question is, why would you want root login? If your still using it, >> your doing it wrong. > > Maybe, but your argument isn't convincing. How am I better off doing it > your way (what is your

Re: [gentoo-user] OpenSSH upgrade warning

On 11/09/2015 10:26 PM, Jeff Smelser wrote: > > The question is, why would you want root login? If your still using it, > your doing it wrong. Maybe, but your argument isn't convincing. How am I better off doing it your way (what is your way)?

Re: [gentoo-user] OpenSSH upgrade warning

On Tue, Nov 10, 2015 at 11:55 AM, Michael Orlitzky wrote: > On 11/10/2015 01:26 PM, Alan McKinnon wrote: > > > > I think you are approaching this problem from the wrong viewpoint. You > > have to assume an attacker has vastly more resources to bear on the > > problem than you

Re: [gentoo-user] OpenSSH upgrade warning

On 11/10/2015 09:25 PM, Michael Orlitzky wrote: > On 11/10/2015 02:23 PM, Stanislav Nikolov wrote: >> Are you sure you know how such keys work? An extremely 15 character >> password (Upper case, lower case, numbers, 8 more symbols) gives you >> ~4747561509943000 combinations. Just a

Re: [gentoo-user] OpenSSH upgrade warning

On 10/11/2015 17:58, Michael Orlitzky wrote: > On 11/10/2015 10:30 AM, Alan McKinnon wrote: >>> Maybe, but your argument isn't convincing. How am I better off doing it >>> your way (what is your way)? >> >> The most common way is to disallow all remote logins as root. Admins log >> in with their

Re: [gentoo-user] OpenSSH upgrade warning

On 11/10/2015 01:26 PM, Alan McKinnon wrote: > > I think you are approaching this problem from the wrong viewpoint. You > have to assume an attacker has vastly more resources to bear on the > problem than you have. Thanks to Amazon and the cloud, this is now a > very true reality. Brute force

Re: [gentoo-user] OpenSSH upgrade warning

On 11/10/2015 11:26 AM, Michael Orlitzky wrote: > On 11/10/2015 11:13 AM, J. Roeleveld wrote: >> >> What would take longer? >> brute-forcing your root-password or a 4096 byte ssh key? >> > > My password, by a lot. The password needs to be brute-forced over the > network, first of all. I realized

Re: [gentoo-user] OpenSSH upgrade warning

I am going to stop this convo. As soon as you say it cant be brute forced, I am going to move on. Good luck with that. On Tue, Nov 10, 2015 at 12:17 PM, Michael Orlitzky wrote: > On 11/10/2015 02:00 PM, Jeff Smelser wrote: > > > > I guess from this your assuming that everyones

Re: [gentoo-user] OpenSSH upgrade warning

On 11/10/2015 02:23 PM, Stanislav Nikolov wrote: > > > On 11/10/2015 09:17 PM, Michael Orlitzky wrote: >> On 11/10/2015 02:00 PM, Jeff Smelser wrote: >>> I guess from this your assuming that everyones passwords that >>> have been hacked are god, birthdays and such? >>> >> Again: assume that I'm

Re: [gentoo-user] OpenSSH upgrade warning

On 11/10/2015 02:23 PM, Stanislav Nikolov wrote: >> > Are you sure you know how such keys work? An extremely 15 character > password (Upper case, lower case, numbers, 8 more symbols) gives you > ~4747561509943000 combinations. Just a simple 2048 bit > key on the other hand (~180 of

Re: [gentoo-user] OpenSSH upgrade warning

On 11/10/2015 02:00 PM, Jeff Smelser wrote: > > I guess from this your assuming that everyones passwords that have been > hacked are god, birthdays and such? > Again: assume that I'm not an idiot, and that I know how to choose a long, random password. It cannot be brute-forced. And if it could,

Re: [gentoo-user] OpenSSH upgrade warning

On 11/10/2015 09:17 PM, Michael Orlitzky wrote: > On 11/10/2015 02:00 PM, Jeff Smelser wrote: >> I guess from this your assuming that everyones passwords that have been >> hacked are god, birthdays and such? >> > Again: assume that I'm not an idiot, and that I know how to choose a > long, random

Re: [gentoo-user] OpenSSH upgrade warning

On 11/10/2015 09:31 PM, Michael Orlitzky wrote: > On 11/10/2015 02:23 PM, Stanislav Nikolov wrote: >> >> On 11/10/2015 09:17 PM, Michael Orlitzky wrote: >>> On 11/10/2015 02:00 PM, Jeff Smelser wrote: I guess from this your assuming that everyones passwords that have been hacked are

Re: [gentoo-user] OpenSSH upgrade warning

Michael Orlitzky wrote: > On 11/10/2015 11:13 AM, J. Roeleveld wrote: > > > > What would take longer? > > brute-forcing your root-password or a 4096 byte ssh key? > > > > My password, by a lot. The password needs to be brute-forced over the > network, first of all. > > And a

Re: [gentoo-user] OpenSSH upgrade warning

On 11/10/2015 02:32 PM, Stanislav Nikolov wrote: > > > On 11/10/2015 09:25 PM, Michael Orlitzky wrote: >> On 11/10/2015 02:23 PM, Stanislav Nikolov wrote: >>> Are you sure you know how such keys work? An extremely 15 character >>> password (Upper case, lower case, numbers, 8 more symbols) gives

Re: [gentoo-user] OpenSSH upgrade warning

On 11/10/2015 04:11 PM, waben...@gmail.com wrote: > > You can disable password login for that user on the server. Then he > can only login via ssh key. Only with the knowledge of the root > password it is not possible to gain root access to the server. An > attacker also needs the ssh key. And

Re: [gentoo-user] OpenSSH upgrade warning

Michael Orlitzky wrote: > On 11/10/2015 04:11 PM, waben...@gmail.com wrote: >> You can disable password login for that user on the server. Then he >> can only login via ssh key. Only with the knowledge of the root >> password it is not possible to gain root access to the server. An >> attacker

Re: [gentoo-user] OpenSSH upgrade warning

Again, your not understanding that brute force is not entirely how you think it works. As a former employee of a large tech company. They are much more cunning how they do it these days.. If you wanted to break into an account, would you really start with a and work your way up? Come on.

Re: [gentoo-user] OpenSSH upgrade warning

Michael Orlitzky wrote: > On 11/10/2015 03:52 PM, waben...@gmail.com wrote: > > > > That's right. If an attacker has the full control over your machine > > then it doesn't make any difference. > > > > But if he can only see what you are typing, for example by a > > keylogger

Re: [gentoo-user] OpenSSH upgrade warning

On 11/10/2015 03:52 PM, waben...@gmail.com wrote: > > That's right. If an attacker has the full control over your machine > then it doesn't make any difference. > > But if he can only see what you are typing, for example by a keylogger > or by detecting the electromagentic radiation of your

Re: [gentoo-user] OpenSSH upgrade warning

Hello, Jeff. On Mon, Nov 09, 2015 at 08:26:27PM -0700, Jeff Smelser wrote: > On Mon, Nov 9, 2015 at 6:38 PM, Michael Orlitzky wrote: > > A major upgrade to OpenSSH is being stabilized: > > https://bugs.gentoo.org/show_bug.cgi?id=18 > > The default of PermitRootLogin for

Re: [gentoo-user] OpenSSH upgrade warning

On Tue, 10 Nov 2015 09:53:52 +, Alan Mackenzie wrote: > By the way, anybody, what's the alternative to a password login when you > need to login remotely as root? key login, set "PermitRootLogin without-password" and add your public keys to .ssh/authorized_keys -- Neil Bothwick WINDOWS:

Re: [gentoo-user] OpenSSH upgrade warning

On 10/11/2015 11:53, Alan Mackenzie wrote: Hello, Jeff. On Mon, Nov 09, 2015 at 08:26:27PM -0700, Jeff Smelser wrote: On Mon, Nov 9, 2015 at 6:38 PM, Michael Orlitzky wrote: A major upgrade to OpenSSH is being stabilized:

Re: [gentoo-user] OpenSSH upgrade warning

Dale wrote: > Michael Orlitzky wrote: > > On 11/10/2015 04:11 PM, waben...@gmail.com wrote: > >> You can disable password login for that user on the server. Then > >> he can only login via ssh key. Only with the knowledge of the root > >> password it is not possible to gain

Re: [gentoo-user] OpenSSH upgrade warning

On Mon, Nov 09, 2015 at 08:38:20PM -0500, Michael Orlitzky wrote > A major upgrade to OpenSSH is being stabilized: > > https://bugs.gentoo.org/show_bug.cgi?id=18 > > The default of PermitRootLogin for sshd in the new version is > "prohibit-password". If you typically log in to the root

[gentoo-user] OpenSSH upgrade warning

A major upgrade to OpenSSH is being stabilized: https://bugs.gentoo.org/show_bug.cgi?id=18 The default of PermitRootLogin for sshd in the new version is "prohibit-password". If you typically log in to the root account over SSH using a password, **IT'S GONNA BREAK**, and you won't be able

Re: [gentoo-user] OpenSSH upgrade warning

On Mon, Nov 9, 2015 at 6:38 PM, Michael Orlitzky wrote: > A major upgrade to OpenSSH is being stabilized: > > https://bugs.gentoo.org/show_bug.cgi?id=18 > > The default of PermitRootLogin for sshd in the new version is > "prohibit-password". If you typically log in to the