ssh: Permission denied
Dmitriy Kropivnitskiy
nigde at mitechki.net
Fri Dec 22 21:00:21 UTC 2006
Dylan Semler wrote:
> Here's something that I've always been curious about. I assume that the
> dangers of allowing root log-in are:
>
> 1. It's a user name that every linux system (except ubuntu) has, so all
> a hacker needs is the correct password in order to gain access, rather
> than the correct user name and password.
>
> 2. Once access is gained, there are no restrictions on what the user
> can do, as they are root.
>
> However, if you use an 8-digit password with capital and lowercase
> letters, numbers, and symbols, there are 8^( 26*2 + 10*2 + 20 ) = 8^92 =
> 1.21e83 possible passwords. Since ssh waits about a second after each
> incorrect password and there have been only 3.32e17 seconds in the
> history of the universe, it seems scritcly /impossible/ for a password
> to be guessed. So the risk must not be from password-bots. What is the
> risk then?
This was my question as well, but I want to up this a bit. I actually disallowed password authentication over SSH. I only allow root and only with a
correct key. Obviously someone could steal my key. But the key is password protected, so they would have to steal my password too. Now, at this stage
actually creating a separate account on my box, an account I will never use for anything except to do su - seems ridiculous. Mind you that I do not do
anything on my servers that doesn't require root privileges.
More information about the fedora-list
mailing list