From: Peter Volkov <pva@gentoo.org>
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] New Server, considering hardened, need pointers to tfm...
Date: Wed, 14 Dec 2011 07:18:07 +0400 [thread overview]
Message-ID: <1323832687.18030.11.camel@tablet> (raw)
In-Reply-To: <20111211145302.GE1990@home.power>
В Вск, 11/12/2011 в 16:53 +0200, Alex Efros пишет:
> On Sun, Dec 11, 2011 at 02:25:19PM +0000, Sven Vermeulen wrote:
> > > 1) How can
> > > 4.2.4.1. Root Logon Through SSH Is Not Allowed
> > > increase security, if we're already using
> > > 4.2.4.2. Public Key Authentication Only
> > > Disabling root may have sense with password auth, but with keys it is
> > > just useless inconvenience.
> >
> > I read somewhere that security is about making things more inconvenient for
> > malicious people than for authorized ones.
> >
> > For me, immediately logging in as root is not done. I want to limit root
> > access through the regular accounts on the system (with su(do)). I never had
> > the need to log on as root immediately myself.
>
> Understood. But I still don't see how this can increase security.
To authorize you need pair: login/password or login/priv_key. By
requiring login be guessable too you make probability to guess both
harder. Remember how debian made possible to brute-force private
key[1]? Additional layers really may help in some situations...
1. http://digitaloffense.net/tools/debian-openssl/
--
Peter.
next prev parent reply other threads:[~2011-12-14 3:19 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-12-10 20:17 [gentoo-hardened] New Server, considering hardened, need pointers to tfm Tanstaafl
2011-12-10 20:52 ` Matthew Thode
2011-12-11 10:18 ` Sven Vermeulen
2011-12-11 12:20 ` Alex Efros
2011-12-11 14:25 ` Sven Vermeulen
2011-12-11 14:53 ` Alex Efros
2011-12-11 16:49 ` Matthew Thode
2011-12-11 20:01 ` Hilco Wijbenga
2011-12-11 20:08 ` Kevin Chadwick
2011-12-12 11:56 ` Anthony G. Basile
2011-12-12 13:38 ` Kevin Chadwick
2011-12-12 14:08 ` Kevin Chadwick
2011-12-12 15:23 ` Javier Juan Martínez Cabezón
2011-12-12 16:44 ` Kevin Chadwick
2011-12-12 17:38 ` Javier Juan Martínez Cabezón
2011-12-12 18:41 ` Kevin Chadwick
2011-12-12 19:44 ` Javier Juan Martínez Cabezón
2011-12-12 20:19 ` Kevin Chadwick
2011-12-12 21:04 ` Javier Juan Martínez Cabezón
2011-12-12 22:08 ` Kevin Chadwick
2011-12-13 21:20 ` Javier Juan Martínez Cabezón
2011-12-14 11:05 ` Kevin Chadwick
2011-12-14 15:27 ` Javier Juan Martínez Cabezón
2011-12-14 15:55 ` Alex Efros
2011-12-14 16:28 ` Javier Juan Martínez Cabezón
2011-12-14 16:42 ` Kevin Chadwick
2011-12-14 18:06 ` Javier Juan Martínez Cabezón
2011-12-14 19:45 ` Kevin Chadwick
2011-12-14 3:18 ` Peter Volkov [this message]
2011-12-14 3:31 ` Peter Volkov
2011-12-11 20:30 ` Kevin Chadwick
2011-12-11 23:00 ` Matthew Finkel
2011-12-12 11:34 ` Kevin Chadwick
2011-12-12 11:59 ` Anthony G. Basile
2011-12-12 13:14 ` Kevin Chadwick
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1323832687.18030.11.camel@tablet \
--to=pva@gentoo.org \
--cc=gentoo-hardened@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox