Alright so i recently installed Ubuntu Server 8.10 on an old 500Mhz (1st gen) Athlon w/ 256MB RAM, 10GB & 40GB HDs. Now currently this box is housed on my intranet with no possibility for external access (yet). I've got SSH up and running ok, it seems fairly secure as all the "tools" i've tried have found no flaw with it, and i see no reported exploits w/ my version. My question is this, my goal is to make the content on the box (to come later) available via SSH login for several folks. Now from my research i've found 3 possible "login" schemes that i'm wanting to focus on:
#1 - Normal login giving my Linux users ID\Password at the login prompt. (Which is transferred securely to the server, so that's good) #2 - RSA login WITHOUT a password, which i would assume doesn't prompt for Linux user name\password either since it has your key file it just lets you in #3 - RSA login WITH a password, which appears to be a single password you'd have to remember & can use the same key file to authenticate with anything capable of using RSA. So now my train of thought is a little old school, in that i've always been strictly about 15-20 mixed character passwords of pretty reasonable strength for everything. However most of my "users" aren't gonna be to good at remembering: th$is$my%p...@#word(*& , rightfully so. So now looking towards something like "RSA" to be honest the middle option worries me in that, does it mean someone else using a "trusted" computer can just gain access? Lets say i'm recognized by the server but my buddy Steve comes over, w/o any password prompts he'll just be given access because the server "trusts" MY computer? Or am i viewing that wrong? This is why i'm looking towards the latter option as the thought of having 1 password to allow me and my users authentication to several things is pretty attractive. However that in it's own right is obviously highly costly should anyones "single" password be compromised. I also read that not using option #1 it prevents "brute force" attacks because the server uses the "key" for authentication. Would introducing a password for that "key" bring back the possibility of those brute force attacks? Only this time resulting in a costlier compromise of the server because they now have access to EVERYTHING you use RSA auth for? Rather than just perhaps what's available for that user account during an SSH session? Just a few things i was wondering about. I'm trying to get into networking and server administration. So i'm taking security & my understanding of it very serious, from the ground up. I hope this was the right group, and i appreciate any helpful comments or points in the right direction. Thanks in advance all, FMorales... --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ubuntu Linux" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/ubuntulinux?hl=en -~----------~----~----~----~------~----~------~--~---
