ssh: Permission denied
Donald Tripp
dtripp at hawaii.edu
Fri Dec 22 21:23:20 UTC 2006
But think of it this way: you see all those log files with people
trying to GUESS usernames: fred, mary, joe, jane.... wouldn't it be
better to NOT allow root access so they MUST guess your username as
well as key, and password? Three phase authentication is always
better than two!
- Donald Tripp
dtripp at hawaii.edu
----------------------------------------------
HPC Systems Administrator
High Performance Computing Center
University of Hawai'i at Hilo
200 W. Kawili Street
Hilo, Hawaii 96720
http://www.hpc.uhh.hawaii.edu
On Dec 22, 2006, at 11:00 AM, Dmitriy Kropivnitskiy wrote:
> Dylan Semler wrote:
> > Here's something that I've always been curious about. I assume
> that the
>> dangers of allowing root log-in are:
>> 1. It's a user name that every linux system (except ubuntu) has,
>> so all a hacker needs is the correct password in order to gain
>> access, rather than the correct user name and password.
>> 2. Once access is gained, there are no restrictions on what the
>> user can do, as they are root.
>> However, if you use an 8-digit password with capital and lowercase
>> letters, numbers, and symbols, there are 8^( 26*2 + 10*2 + 20 ) =
>> 8^92 = 1.21e83 possible passwords. Since ssh waits about a second
>> after each incorrect password and there have been only 3.32e17
>> seconds in the history of the universe, it seems scritcly /
>> impossible/ for a password to be guessed. So the risk must not be
>> from password-bots. What is the risk then?
>
> This was my question as well, but I want to up this a bit. I
> actually disallowed password authentication over SSH. I only allow
> root and only with a correct key. Obviously someone could steal my
> key. But the key is password protected, so they would have to steal
> my password too. Now, at this stage actually creating a separate
> account on my box, an account I will never use for anything except
> to do su - seems ridiculous. Mind you that I do not do anything on
> my servers that doesn't require root privileges.
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20061222/0cbeae66/attachment-0001.htm>
More information about the fedora-list
mailing list