Re: [gentoo-user] OpenSSH upgrade warning

[Rich Freeman]

On Mon, Nov 9, 2015 at 8:38 PM, Michael Orlitzky  wrote:
> A major upgrade to OpenSSH is being stabilized:
>
>   https://bugs.gentoo.org/show_bug.cgi?id=18
>
> The default of PermitRootLogin for sshd in the new version is
> "prohibit-password". If you typically log in to the root account over
> SSH using a password, **IT'S GONNA BREAK**, and you won't be able to fix
> it remotely unless you have an account that can sudo to root.
>
> To maintain the current behavior, set PermitRootLogin to "yes" before
> you upgrade, and then be careful not to wipe out sshd_config.
>

Another issue is this news item that is now old but suddenly relevant:
https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html

We should probably rethink how we handle news items like this.

-- 
Rich

Re: [gentoo-user] OpenSSH upgrade warning

[Michael Orlitzky]

On 11/10/2015 11:13 AM, J. Roeleveld wrote:
> 
> What would take longer?
> brute-forcing your root-password or a 4096 byte ssh key?
> 

My password, by a lot. The password needs to be brute-forced over the
network, first of all.

And a 4096-bit public encryption key doesn't provide 4096 bits of
security -- you're thinking of symmetric encryption. Regardless, if
someone is brute-forcing passwords, it would take them "twice" as long
to brute-force both my root password and the password on my SSH key as
it would to do the root password alone. I can do better than 2x by
adding a character to my password. And that's pointless, because it
would already take forever. No-more-Earth forever.


> 
>> All of the good attacks (shoot me, bribe me, steal the hardware, etc.)
>> that I can think of work just fine against the two-factor auth. The only
>> other way to get the root password is to be there when I transfer it
>> from my brain to the terminal, in which case you have the SSH key, too.
> 
> The ssh-key is stored on your desktop/laptop. Secured with a passphrase.
> 

If my machine is compromised, the attacker can see both the SSH key
password when I type it, and the root password when I type that.

Re: [gentoo-user] OpenSSH upgrade warning

[Michael Orlitzky]

On 11/10/2015 10:30 AM, Alan McKinnon wrote:
>> Maybe, but your argument isn't convincing. How am I better off doing it
>> your way (what is your way)?
> 
> The most common way is to disallow all remote logins as root. Admins log
> in with their personal unpriv account using an ssh key. To become root
> they must su or sudo -i with a password.
> 
> Benefits: two factor auth using different mechanisms. Having the key or
> the password is not enough to become root, an attacker must have both.
> 
> Allowing root logins directly over the network is considered bad
> practice, due to the "one mistake = you lose" aspect.
> 

It sounds good, but what sort of attack on my root password does the
two-factor authentication prevent? Assume that I'm not an idiot and to
brute-force my root password would take literally forever.

I'm weighing this against the complexity of adding separate accounts,
making sure that *those* are secure, risking breakage of the sudoers
file, granting someone the ability to brute force my SSH key password
offline,...

All of the good attacks (shoot me, bribe me, steal the hardware, etc.)
that I can think of work just fine against the two-factor auth. The only
other way to get the root password is to be there when I transfer it
from my brain to the terminal, in which case you have the SSH key, too.

Re: [gentoo-user] OpenSSH upgrade warning

[J. Roeleveld]

On Tuesday, November 10, 2015 10:58:48 AM Michael Orlitzky wrote:
> On 11/10/2015 10:30 AM, Alan McKinnon wrote:
> >> Maybe, but your argument isn't convincing. How am I better off doing it
> >> your way (what is your way)?
> > 
> > The most common way is to disallow all remote logins as root. Admins log
> > in with their personal unpriv account using an ssh key. To become root
> > they must su or sudo -i with a password.
> > 
> > Benefits: two factor auth using different mechanisms. Having the key or
> > the password is not enough to become root, an attacker must have both.
> > 
> > Allowing root logins directly over the network is considered bad
> > practice, due to the "one mistake = you lose" aspect.
> 
> It sounds good, but what sort of attack on my root password does the
> two-factor authentication prevent? Assume that I'm not an idiot and to
> brute-force my root password would take literally forever.

What would take longer?
brute-forcing your root-password or a 4096 byte ssh key?

> I'm weighing this against the complexity of adding separate accounts,
> making sure that *those* are secure, risking breakage of the sudoers
> file, granting someone the ability to brute force my SSH key password
> offline,...

You secure the seperate account using a ssh-key.
The root-password will only work once logged in using the seperate account.

> All of the good attacks (shoot me, bribe me, steal the hardware, etc.)
> that I can think of work just fine against the two-factor auth. The only
> other way to get the root password is to be there when I transfer it
> from my brain to the terminal, in which case you have the SSH key, too.

The ssh-key is stored on your desktop/laptop. Secured with a passphrase.

--
Joost

Re: [gentoo-user] OpenSSH upgrade warning

[Alan McKinnon]

On 10/11/2015 16:47, Michael Orlitzky wrote:
> On 11/09/2015 10:26 PM, Jeff Smelser wrote:
>>
>> The question is, why would you want root login? If your still using it,
>> your doing it wrong.
> 
> Maybe, but your argument isn't convincing. How am I better off doing it
> your way (what is your way)?
> 
> 

The most common way is to disallow all remote logins as root. Admins log
in with their personal unpriv account using an ssh key. To become root
they must su or sudo -i with a password.

Benefits: two factor auth using different mechanisms. Having the key or
the password is not enough to become root, an attacker must have both.

Allowing root logins directly over the network is considered bad
practice, due to the "one mistake = you lose" aspect.

-- 
Alan McKinnon
alan.mckin...@gmail.com

Re: [gentoo-user] OpenSSH upgrade warning

[Michael Orlitzky]

On 11/09/2015 10:26 PM, Jeff Smelser wrote:
> 
> The question is, why would you want root login? If your still using it,
> your doing it wrong.

Maybe, but your argument isn't convincing. How am I better off doing it
your way (what is your way)?

Re: [gentoo-user] OpenSSH upgrade warning

[Jeff Smelser]

On Tue, Nov 10, 2015 at 11:55 AM, Michael Orlitzky  wrote:

> On 11/10/2015 01:26 PM, Alan McKinnon wrote:
> >
> > I think you are approaching this problem from the wrong viewpoint. You
> > have to assume an attacker has vastly more resources to bear on the
> > problem than you have. Thanks to Amazon and the cloud, this is now a
> > very true reality. Brute force attacking a root password is nowhere near
> > as complex as the maths would lead you to believe; for one thing they
> > are decidedly not random. The fact is that they are heavily biased,
> > mostly due to 1) you need to be able to remember it and 2) you need to
> > be able to type it.
> >
> > Humans have been proven to be very bad at coming up with passwords that
> > are truly good[1] and hard for computers to figure out. And our brains
> > and very very VERY good at convincing us that our latest dumb idea is
> > awesome. Are you really going to protect the mother lode (root password)
> > with a single system proven to be quite broken and deeply flawed by
> wetware?
> >
>
> I know all that, but I asked you to assume that I'm not an idiot and
> that it would take forever to brute-force my root password =)
>
> I'm not going to tell you what it is, so you'll have to believe me.
>
>
I guess from this your assuming that everyones passwords that have been
hacked are god, birthdays and such?

Re: [gentoo-user] OpenSSH upgrade warning

[Stanislav Nikolov]

On 11/10/2015 09:25 PM, Michael Orlitzky wrote:
> On 11/10/2015 02:23 PM, Stanislav Nikolov wrote:
>> Are you sure you know how such keys work? An extremely 15 character
>> password (Upper case, lower case, numbers, 8 more symbols) gives you
>> ~4747561509943000 combinations. Just a simple 2048 bit
>> key on the other hand (~180 of which are "secure")
>> 153249554086558358347027150309183618739122183602176. Thats ALOT
>> moar. You don't have to generate the key from a password!
>>
> I don't have to brute-force the key. The key is encrypted with a
> password. How long is that password?
>
>
>
1) The key is not encrypted.  
2) You don't need a password to generate a key.  
3) Don't go full retard, do your research before arguing.

Re: [gentoo-user] OpenSSH upgrade warning

[Alan McKinnon]

On 10/11/2015 17:58, Michael Orlitzky wrote:
> On 11/10/2015 10:30 AM, Alan McKinnon wrote:
>>> Maybe, but your argument isn't convincing. How am I better off doing it
>>> your way (what is your way)?
>>
>> The most common way is to disallow all remote logins as root. Admins log
>> in with their personal unpriv account using an ssh key. To become root
>> they must su or sudo -i with a password.
>>
>> Benefits: two factor auth using different mechanisms. Having the key or
>> the password is not enough to become root, an attacker must have both.
>>
>> Allowing root logins directly over the network is considered bad
>> practice, due to the "one mistake = you lose" aspect.
>>
> 
> It sounds good, but what sort of attack on my root password does the
> two-factor authentication prevent? Assume that I'm not an idiot and to
> brute-force my root password would take literally forever.
> 
> I'm weighing this against the complexity of adding separate accounts,
> making sure that *those* are secure, risking breakage of the sudoers
> file, granting someone the ability to brute force my SSH key password
> offline,...
> 
> All of the good attacks (shoot me, bribe me, steal the hardware, etc.)
> that I can think of work just fine against the two-factor auth. The only
> other way to get the root password is to be there when I transfer it
> from my brain to the terminal, in which case you have the SSH key, too.

I think you are approaching this problem from the wrong viewpoint. You
have to assume an attacker has vastly more resources to bear on the
problem than you have. Thanks to Amazon and the cloud, this is now a
very true reality. Brute force attacking a root password is nowhere near
as complex as the maths would lead you to believe; for one thing they
are decidedly not random. The fact is that they are heavily biased,
mostly due to 1) you need to be able to remember it and 2) you need to
be able to type it.

Humans have been proven to be very bad at coming up with passwords that
are truly good[1] and hard for computers to figure out. And our brains
and very very VERY good at convincing us that our latest dumb idea is
awesome. Are you really going to protect the mother lode (root password)
with a single system proven to be quite broken and deeply flawed by wetware?

Two factor auth is cheap (ssh-keygen and ssh-copy-id) and keys take the
human factor out of the first step. It's not security theatre nor cargo
culting, so why not use it and gain the benefits for minimal effort?

Complexity of separate accounts is a bit of a red herring. If your user
account is weak, I have to assume so is your root account - apart from
UID=0 there is no difference between them. Hopefully you use Puppet or
friends so you set up a decent template once and the system ensures it
stays that way. No having to check if user accounts really are still not
weak.

Finally the root password by it's nature is a shared secret between one
or more admins. On every system a boss has had me look after, I have
shown to my own satisfaction that it is the weak link. It has to exist,
it has to be known an it has to be communicated when it changes. Systems
designed to help make that process safe are themselves weak (such as a
GPG encrypted file protected by  a never-changing shared password
that every admin knows!) Am I going to build a front line of defence
based on ssh keys? You betcha.

Alan

[1] Our bosses and auditors keep coming up with stupid ideas designed to
improve this but all they succeed in doing is causing the problem they
seek to solve. Such as rotating passwords, insisting on punctuation, no
repeating characters. In the real world all this does is invite *bad*
practices - people have to resort to this to get something that
satisfies the password policy and they can remember. And from there it's
a short step to Post-It-Note syndrome


-- 
Alan McKinnon
alan.mckin...@gmail.com

Re: [gentoo-user] OpenSSH upgrade warning

[Michael Orlitzky]

On 11/10/2015 01:26 PM, Alan McKinnon wrote:
> 
> I think you are approaching this problem from the wrong viewpoint. You
> have to assume an attacker has vastly more resources to bear on the
> problem than you have. Thanks to Amazon and the cloud, this is now a
> very true reality. Brute force attacking a root password is nowhere near
> as complex as the maths would lead you to believe; for one thing they
> are decidedly not random. The fact is that they are heavily biased,
> mostly due to 1) you need to be able to remember it and 2) you need to
> be able to type it.
> 
> Humans have been proven to be very bad at coming up with passwords that
> are truly good[1] and hard for computers to figure out. And our brains
> and very very VERY good at convincing us that our latest dumb idea is
> awesome. Are you really going to protect the mother lode (root password)
> with a single system proven to be quite broken and deeply flawed by wetware?
> 

I know all that, but I asked you to assume that I'm not an idiot and
that it would take forever to brute-force my root password =)

I'm not going to tell you what it is, so you'll have to believe me.


> Two factor auth is cheap (ssh-keygen and ssh-copy-id) and keys take the
> human factor out of the first step. It's not security theatre nor cargo
> culting, so why not use it and gain the benefits for minimal effort?
> 

The rest of what you say is all true, but *given that no one is going to
brute-force the root password*, what specific attack am I defending against?

I'm not trying to be annoying -- if switching to two-factor auth will
improve things, I'll do it -- but no one has ever been able to tell me
what I'd gain from it.

Re: [gentoo-user] OpenSSH upgrade warning

[Michael Orlitzky]

On 11/10/2015 11:26 AM, Michael Orlitzky wrote:
> On 11/10/2015 11:13 AM, J. Roeleveld wrote:
>>
>> What would take longer?
>> brute-forcing your root-password or a 4096 byte ssh key?
>>
> 
> My password, by a lot. The password needs to be brute-forced over the
> network, first of all.

I realized this wasn't correct while I was in the shower =P

To tell if you decrypted the key properly, you need to send it over the
network, so verification of a brute-force attempt on the SSH key takes
about the same amount of time as a brute-force attempt on the root
password. The root password in my head is safe against crypto attacks
though, so if we're just arguing for fun, it's probably still safer.

Adding the key *in addition to* the root password still only gives you a
constant factor improvement, and I'm not worried whether it takes the
bad guys 4,359,811,353 or 8,719,622,706 years to log in. My time would
be better spent taking karate lessons to prevent one of those other
attacks I mentioned.

Re: [gentoo-user] OpenSSH upgrade warning

[Jeff Smelser]

I am going to stop this convo. As soon as you say it cant be brute forced,
I am going to move on.

Good luck with that.

On Tue, Nov 10, 2015 at 12:17 PM, Michael Orlitzky  wrote:

> On 11/10/2015 02:00 PM, Jeff Smelser wrote:
> >
> > I guess from this your assuming that everyones passwords that have been
> > hacked are god, birthdays and such?
> >
>
> Again: assume that I'm not an idiot, and that I know how to choose a
> long, random password. It cannot be brute-forced. And if it could,
> adding an SSH key encrypted with a password of the same length would
> provide no extra security.
>
>
>

Re: [gentoo-user] OpenSSH upgrade warning

[Michael Orlitzky]

On 11/10/2015 02:23 PM, Stanislav Nikolov wrote:
> 
> 
> On 11/10/2015 09:17 PM, Michael Orlitzky wrote:
>> On 11/10/2015 02:00 PM, Jeff Smelser wrote:
>>> I guess from this your assuming that everyones passwords that
>>> have been hacked are god, birthdays and such?
>>> 
>> Again: assume that I'm not an idiot, and that I know how to choose
>> a long, random password. It cannot be brute-forced. And if it
>> could, adding an SSH key encrypted with a password of the same
>> length would provide no extra security.
>> 
>> 
> Are you sure you know how such keys work? An extremely 15 character
> password (Upper case, lower case, numbers, 8 more symbols) gives you
> ~4747561509943000 combinations


And since no one seems to believe me, if you could try a million
passwords a second (over the network!), it would take you about
75,272,093,955,210 years to try half of those combinations.

Re: [gentoo-user] OpenSSH upgrade warning

[Michael Orlitzky]

On 11/10/2015 02:23 PM, Stanislav Nikolov wrote:
>> 
> Are you sure you know how such keys work? An extremely 15 character
> password (Upper case, lower case, numbers, 8 more symbols) gives you
> ~4747561509943000 combinations. Just a simple 2048 bit
> key on the other hand (~180 of which are "secure")
> 153249554086558358347027150309183618739122183602176. Thats ALOT
> moar. You don't have to generate the key from a password!
> 

I don't have to brute-force the key. The key is encrypted with a
password. How long is that password?

Re: [gentoo-user] OpenSSH upgrade warning

[Michael Orlitzky]

On 11/10/2015 02:00 PM, Jeff Smelser wrote:
> 
> I guess from this your assuming that everyones passwords that have been
> hacked are god, birthdays and such?
> 

Again: assume that I'm not an idiot, and that I know how to choose a
long, random password. It cannot be brute-forced. And if it could,
adding an SSH key encrypted with a password of the same length would
provide no extra security.

Re: [gentoo-user] OpenSSH upgrade warning

[Stanislav Nikolov]

On 11/10/2015 09:17 PM, Michael Orlitzky wrote:
> On 11/10/2015 02:00 PM, Jeff Smelser wrote:
>> I guess from this your assuming that everyones passwords that have been
>> hacked are god, birthdays and such?
>>
> Again: assume that I'm not an idiot, and that I know how to choose a
> long, random password. It cannot be brute-forced. And if it could,
> adding an SSH key encrypted with a password of the same length would
> provide no extra security.
>
>
Are you sure you know how such keys work? An extremely 15 character password 
(Upper case, lower case, numbers, 8 more symbols) gives you 
~4747561509943000 combinations. Just a simple 2048 bit key on the 
other hand (~180 of which are "secure") 
153249554086558358347027150309183618739122183602176. Thats ALOT moar. You 
don't have to generate the key from a password!

Re: [gentoo-user] OpenSSH upgrade warning

[Stanislav Nikolov]

On 11/10/2015 09:31 PM, Michael Orlitzky wrote:
> On 11/10/2015 02:23 PM, Stanislav Nikolov wrote:
>>
>> On 11/10/2015 09:17 PM, Michael Orlitzky wrote:
>>> On 11/10/2015 02:00 PM, Jeff Smelser wrote:
 I guess from this your assuming that everyones passwords that
 have been hacked are god, birthdays and such?

>>> Again: assume that I'm not an idiot, and that I know how to choose
>>> a long, random password. It cannot be brute-forced. And if it
>>> could, adding an SSH key encrypted with a password of the same
>>> length would provide no extra security.
>>>
>>>
>> Are you sure you know how such keys work? An extremely 15 character
>> password (Upper case, lower case, numbers, 8 more symbols) gives you
>> ~4747561509943000 combinations
>
> And since no one seems to believe me, if you could try a million
> passwords a second (over the network!), it would take you about
> 75,272,093,955,210 years to try half of those combinations.
>
>
I know that brute forcing a password is hard. I'm not stating the opposite. But 
brute forcing a 2048 bit key is not 2 times slower, it's 2398748237489237489 
times slower. And you don't need a password for a key! I think that's the right 
time to end this conversation, it won't lead to anything good.

Re: [gentoo-user] OpenSSH upgrade warning

[wabenbau]

Michael Orlitzky  wrote:

> On 11/10/2015 11:13 AM, J. Roeleveld wrote:
> > 
> > What would take longer?
> > brute-forcing your root-password or a 4096 byte ssh key?
> > 
> 
> My password, by a lot. The password needs to be brute-forced over the
> network, first of all.
> 
> And a 4096-bit public encryption key doesn't provide 4096 bits of
> security -- you're thinking of symmetric encryption. Regardless, if
> someone is brute-forcing passwords, it would take them "twice" as long
> to brute-force both my root password and the password on my SSH key as
> it would to do the root password alone. I can do better than 2x by
> adding a character to my password. And that's pointless, because it
> would already take forever. No-more-Earth forever.
> 
> 
> > 
> >> All of the good attacks (shoot me, bribe me, steal the hardware,
> >> etc.) that I can think of work just fine against the two-factor
> >> auth. The only other way to get the root password is to be there
> >> when I transfer it from my brain to the terminal, in which case
> >> you have the SSH key, too.
> > 
> > The ssh-key is stored on your desktop/laptop. Secured with a
> > passphrase.
> > 
> 
> If my machine is compromised, the attacker can see both the SSH key
> password when I type it, and the root password when I type that.

That's right. If an attacker has the full control over your machine
then it doesn't make any difference. 

But if he can only see what you are typing, for example by a keylogger 
or by detecting the electromagentic radiation of your keyboard or by 
watching your keyboard with a camera, then he can do nothing with the 
root password of your server when root login with password is forbidden.

Just my two cents. ;-)

--
Regards
wabe

Re: [gentoo-user] OpenSSH upgrade warning

[Michael Orlitzky]

On 11/10/2015 02:32 PM, Stanislav Nikolov wrote:
> 
> 
> On 11/10/2015 09:25 PM, Michael Orlitzky wrote:
>> On 11/10/2015 02:23 PM, Stanislav Nikolov wrote:
>>> Are you sure you know how such keys work? An extremely 15 character
>>> password (Upper case, lower case, numbers, 8 more symbols) gives you
>>> ~4747561509943000 combinations. Just a simple 2048 bit
>>> key on the other hand (~180 of which are "secure")
>>> 153249554086558358347027150309183618739122183602176. Thats ALOT
>>> moar. You don't have to generate the key from a password!
>>>
>> I don't have to brute-force the key. The key is encrypted with a
>> password. How long is that password?
>>
>>
>>
> 1) The key is not encrypted.  
> 2) You don't need a password to generate a key.  
> 3) Don't go full retard, do your research before arguing.
> 

I guess I'll just say that I'm fine with it taking trillions of years to
hack my systems and give up.

Yes, adding another key would make it take longer than trillions of
years. So would increasing the password length.

Re: [gentoo-user] OpenSSH upgrade warning

[Michael Orlitzky]

On 11/10/2015 04:11 PM, waben...@gmail.com wrote:
> 
> You can disable password login for that user on the server. Then he 
> can only login via ssh key. Only with the knowledge of the root
> password it is not possible to gain root access to the server. An
> attacker also needs the ssh key. And with a camera, keylogger, or
> measuring radiation he can not fetch that key.
> 

This is pretty close to what I originally asked for, thank you.
If you disable all password logins to the server AND disable remote root
logins altogether, then you can stop someone from gaining root by
peeking over your shoulder as you type.

Unless they bash you over the head and swipe your laptop. But still,
I'll take it.

Re: [gentoo-user] OpenSSH upgrade warning

[Dale]

Michael Orlitzky wrote:
> On 11/10/2015 04:11 PM, waben...@gmail.com wrote:
>> You can disable password login for that user on the server. Then he 
>> can only login via ssh key. Only with the knowledge of the root
>> password it is not possible to gain root access to the server. An
>> attacker also needs the ssh key. And with a camera, keylogger, or
>> measuring radiation he can not fetch that key.
>>
> This is pretty close to what I originally asked for, thank you.
> If you disable all password logins to the server AND disable remote root
> logins altogether, then you can stop someone from gaining root by
> peeking over your shoulder as you type.
>
> Unless they bash you over the head and swipe your laptop. But still,
> I'll take it.
>
>
>

Now I'm curious.  Just how often does all this stuff take place?   I
figure when hackers attack, they go straight for root access anyway.  If
that access is disabled then they will never get in, no matter how long
they try.  From what little I know, even if they have the root password
they still can't get in unless they also have the other user account to
login with first. 

Now when hackers get around to hitting folks over the head with a club,
we got problems.  Given I touched my electric fence by accident a while
back, a stun gun would get me to give up quite a lot.  O_O 

Dale

:-)  :-) 

Re: [gentoo-user] OpenSSH upgrade warning

[Jeff Smelser]

Again, your not understanding  that brute force is not entirely how you
think it works. As a former employee of a large tech company. They are much
more cunning how they do it these days..

If you wanted to break into an account, would you really start with a and
work your way up?

Come on.

Accounts are broken into all the time and they claimed their passwords were
awesome..

Your not an idiot, you just need to do more research on how hackers get in.

On Tue, Nov 10, 2015 at 12:31 PM, Michael Orlitzky  wrote:

> On 11/10/2015 02:23 PM, Stanislav Nikolov wrote:
> >
> >
> > On 11/10/2015 09:17 PM, Michael Orlitzky wrote:
> >> On 11/10/2015 02:00 PM, Jeff Smelser wrote:
> >>> I guess from this your assuming that everyones passwords that
> >>> have been hacked are god, birthdays and such?
> >>>
> >> Again: assume that I'm not an idiot, and that I know how to choose
> >> a long, random password. It cannot be brute-forced. And if it
> >> could, adding an SSH key encrypted with a password of the same
> >> length would provide no extra security.
> >>
> >>
> > Are you sure you know how such keys work? An extremely 15 character
> > password (Upper case, lower case, numbers, 8 more symbols) gives you
> > ~4747561509943000 combinations
>
>
> And since no one seems to believe me, if you could try a million
> passwords a second (over the network!), it would take you about
> 75,272,093,955,210 years to try half of those combinations.
>
>
>

Re: [gentoo-user] OpenSSH upgrade warning

[wabenbau]

Michael Orlitzky  wrote:

> On 11/10/2015 03:52 PM, waben...@gmail.com wrote:
> > 
> > That's right. If an attacker has the full control over your machine
> > then it doesn't make any difference. 
> > 
> > But if he can only see what you are typing, for example by a
> > keylogger or by detecting the electromagentic radiation of your
> > keyboard or by watching your keyboard with a camera, then he can do
> > nothing with the root password of your server when root login with
> > password is forbidden.
> > 
> 
> I said I would give up but I lied.
> 
> The scenario that we're talking about has the user log in via an SSH
> key to some server. Once he's logged in to the server, the user uses
> "su" or "sudo" to become root. This requires that he type the root
> password. So a keyboard camera would still obtain the password.
> 
> If you never actually obtain root access, of course you are safe =)

You can disable password login for that user on the server. Then he 
can only login via ssh key. Only with the knowledge of the root
password it is not possible to gain root access to the server. An
attacker also needs the ssh key. And with a camera, keylogger, or
measuring radiation he can not fetch that key.

--
Regards
wabe

Re: [gentoo-user] OpenSSH upgrade warning

[Michael Orlitzky]

On 11/10/2015 03:52 PM, waben...@gmail.com wrote:
> 
> That's right. If an attacker has the full control over your machine
> then it doesn't make any difference. 
> 
> But if he can only see what you are typing, for example by a keylogger 
> or by detecting the electromagentic radiation of your keyboard or by 
> watching your keyboard with a camera, then he can do nothing with the 
> root password of your server when root login with password is forbidden.
> 

I said I would give up but I lied.

The scenario that we're talking about has the user log in via an SSH key
to some server. Once he's logged in to the server, the user uses "su" or
"sudo" to become root. This requires that he type the root password. So
a keyboard camera would still obtain the password.

If you never actually obtain root access, of course you are safe =)

Re: [gentoo-user] OpenSSH upgrade warning

[Alan Mackenzie]

Hello, Jeff.

On Mon, Nov 09, 2015 at 08:26:27PM -0700, Jeff Smelser wrote:
> On Mon, Nov 9, 2015 at 6:38 PM, Michael Orlitzky  wrote:

> > A major upgrade to OpenSSH is being stabilized:

> >   https://bugs.gentoo.org/show_bug.cgi?id=18

> > The default of PermitRootLogin for sshd in the new version is
> > "prohibit-password". If you typically log in to the root account over
> > SSH using a password, **IT'S GONNA BREAK**, and you won't be able to fix
> > it remotely unless you have an account that can sudo to root.

> > To maintain the current behavior, set PermitRootLogin to "yes" before
> > you upgrade, and then be careful not to wipe out sshd_config.



> The question is, why would you want root login? If your still using it,
> your doing it wrong.

You might have just booted up a bare machine with the Gentoo install CD,
and you're using ssh to issue the installation commands from a more
comfortable fully installed machine.

By the way, anybody, what's the alternative to a password login when you
need to login remotely as root?

-- 
Alan Mackenzie (Nuremberg, Germany).

Re: [gentoo-user] OpenSSH upgrade warning

[Neil Bothwick]

On Tue, 10 Nov 2015 09:53:52 +, Alan Mackenzie wrote:

> By the way, anybody, what's the alternative to a password login when you
> need to login remotely as root?

key login, set "PermitRootLogin without-password" and add your public
keys to .ssh/authorized_keys


-- 
Neil Bothwick

WINDOWS: Will Install Needless Data On Whole System


pgp_U2Q4OiymA.pgp
Description: OpenPGP digital signature

Re: [gentoo-user] OpenSSH upgrade warning

[Alan McKinnon]

On 10/11/2015 11:53, Alan Mackenzie wrote:

Hello, Jeff.

On Mon, Nov 09, 2015 at 08:26:27PM -0700, Jeff Smelser wrote:

On Mon, Nov 9, 2015 at 6:38 PM, Michael Orlitzky  wrote:



A major upgrade to OpenSSH is being stabilized:



   https://bugs.gentoo.org/show_bug.cgi?id=18



The default of PermitRootLogin for sshd in the new version is
"prohibit-password". If you typically log in to the root account over
SSH using a password, **IT'S GONNA BREAK**, and you won't be able to fix
it remotely unless you have an account that can sudo to root.



To maintain the current behavior, set PermitRootLogin to "yes" before
you upgrade, and then be careful not to wipe out sshd_config.





The question is, why would you want root login? If your still using it,
your doing it wrong.


You might have just booted up a bare machine with the Gentoo install CD,
and you're using ssh to issue the installation commands from a more
comfortable fully installed machine.

By the way, anybody, what's the alternative to a password login when you
need to login remotely as root?



ssh keys

Re: [gentoo-user] OpenSSH upgrade warning

[wabenbau]

Dale  wrote:

> Michael Orlitzky wrote:
> > On 11/10/2015 04:11 PM, waben...@gmail.com wrote:
> >> You can disable password login for that user on the server. Then
> >> he can only login via ssh key. Only with the knowledge of the root
> >> password it is not possible to gain root access to the server. An
> >> attacker also needs the ssh key. And with a camera, keylogger, or
> >> measuring radiation he can not fetch that key.
> >>
> > This is pretty close to what I originally asked for, thank you.
> > If you disable all password logins to the server AND disable remote
> > root logins altogether, then you can stop someone from gaining root
> > by peeking over your shoulder as you type.
> >
> > Unless they bash you over the head and swipe your laptop. But still,
> > I'll take it.
> >
> >
> >
> 
> Now I'm curious.  Just how often does all this stuff take place?   I
> figure when hackers attack, they go straight for root access anyway.
> If that access is disabled then they will never get in, no matter how
> long they try.  From what little I know, even if they have the root
> password they still can't get in unless they also have the other user
> account to login with first. 

A server is called is called a server because it has has something to
serve. ;-) If these services (web, ftp, mail, file or whatever else) 
are  accessible through a public network (Internet, Intranet, WLAN) 
then attackers are are looking for vulnerabilities in these services.
Often they use exploit-kits like blackhole for that. If they find a
vulnerability, they trying to exploit it. If the attackers are 
successful or not, depends also on how good the server is hardened, 
that means how good it is protected against such vulnerable services.

There are different mechanisms for such protections. For example 
simple chroot()jails or, much more complex, access control systems
like apparmor and selinux for isolating services, and SSP and PAX for
protection against stack- and bufferoverflow based exploits.

--
Regards
wabe

Re: [gentoo-user] OpenSSH upgrade warning

[Walter Dnes]

On Mon, Nov 09, 2015 at 08:38:20PM -0500, Michael Orlitzky wrote
> A major upgrade to OpenSSH is being stabilized:
> 
>   https://bugs.gentoo.org/show_bug.cgi?id=18
> 
> The default of PermitRootLogin for sshd in the new version is
> "prohibit-password". If you typically log in to the root account over
> SSH using a password, **IT'S GONNA BREAK**, and you won't be able to fix
> it remotely unless you have an account that can sudo to root.
> 
> To maintain the current behavior, set PermitRootLogin to "yes" before
> you upgrade, and then be careful not to wipe out sshd_config.

  Thanks for the info.  I'd doing an install on a machine at home, and I
ran into that.  Since I hadn't yet created a local user, there was
nowhere to sudo from.  Fortunately, it's all in one room, and a few
clicks of the KVM remote-switcher brought me to the actual machine,
where I could log in directly.  I now have my key on the installed
machine and can ssh in from my current machine.

-- 
Walter Dnes 
I don't run "desktop environments"; I run useful applications

[gentoo-user] OpenSSH upgrade warning

[Michael Orlitzky]

A major upgrade to OpenSSH is being stabilized:

  https://bugs.gentoo.org/show_bug.cgi?id=18

The default of PermitRootLogin for sshd in the new version is
"prohibit-password". If you typically log in to the root account over
SSH using a password, **IT'S GONNA BREAK**, and you won't be able to fix
it remotely unless you have an account that can sudo to root.

To maintain the current behavior, set PermitRootLogin to "yes" before
you upgrade, and then be careful not to wipe out sshd_config.

Re: [gentoo-user] OpenSSH upgrade warning

[Jeff Smelser]

On Mon, Nov 9, 2015 at 6:38 PM, Michael Orlitzky  wrote:

> A major upgrade to OpenSSH is being stabilized:
>
>   https://bugs.gentoo.org/show_bug.cgi?id=18
>
> The default of PermitRootLogin for sshd in the new version is
> "prohibit-password". If you typically log in to the root account over
> SSH using a password, **IT'S GONNA BREAK**, and you won't be able to fix
> it remotely unless you have an account that can sudo to root.
>
> To maintain the current behavior, set PermitRootLogin to "yes" before
> you upgrade, and then be careful not to wipe out sshd_config.
>
>

The question is, why would you want root login? If your still using it,
your doing it wrong.