ssh: Permission denied

Donald Tripp dtripp at hawaii.edu
Fri Dec 22 21:23:20 UTC 2006 

But think of it this way: you see all those log files with people  
trying to GUESS usernames: fred, mary, joe, jane.... wouldn't it be  
better to NOT allow root access so they MUST guess your username as  
well as key, and password? Three phase authentication is always  
better than two!

- Donald Tripp
  dtripp at hawaii.edu
----------------------------------------------
HPC Systems Administrator
High Performance Computing Center
University of Hawai'i at Hilo
200 W. Kawili Street
Hilo,   Hawaii   96720
http://www.hpc.uhh.hawaii.edu


On Dec 22, 2006, at 11:00 AM, Dmitriy Kropivnitskiy wrote:

> Dylan Semler wrote:
>  > Here's something that I've always been curious about.  I assume  
> that the
>> dangers of allowing root log-in are:
>> 1.  It's a user name that every linux system (except ubuntu) has,  
>> so all a hacker needs is the correct password in order to gain  
>> access, rather than the correct user name and password.
>> 2.  Once access is gained, there are no restrictions on what the  
>> user can do, as they are root.
>> However, if you use an 8-digit password with capital and lowercase  
>> letters, numbers, and symbols, there are 8^( 26*2 + 10*2 + 20 ) =  
>> 8^92 = 1.21e83 possible passwords.  Since ssh waits about a second  
>> after each incorrect password and there have been only 3.32e17  
>> seconds in the history of the universe, it seems scritcly / 
>> impossible/ for a password to be guessed.  So the risk must not be  
>> from password-bots.  What is the risk then?
>
> This was my question as well, but I want to up this a bit. I  
> actually disallowed password authentication over SSH. I only allow  
> root and only with a correct key. Obviously someone could steal my  
> key. But the key is password protected, so they would have to steal  
> my password too. Now, at this stage actually creating a separate  
> account on my box, an account I will never use for anything except  
> to do su - seems ridiculous. Mind you that I do not do anything on  
> my servers that doesn't require root privileges.
>
> -- 
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20061222/0cbeae66/attachment-0001.htm>

More information about the fedora-list mailing list