From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1RafN1-0005ZC-A1 for garchives@archives.gentoo.org; Wed, 14 Dec 2011 03:19:03 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 1CB2B21C0DC; Wed, 14 Dec 2011 03:18:48 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id B851421C04B for ; Wed, 14 Dec 2011 03:18:19 +0000 (UTC) Received: from [192.168.99.85] (unknown [67.136.214.158]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: pva) by smtp.gentoo.org (Postfix) with ESMTPSA id 45F8B1B401D for ; Wed, 14 Dec 2011 03:18:19 +0000 (UTC) Message-ID: <1323832687.18030.11.camel@tablet> Subject: Re: [gentoo-hardened] New Server, considering hardened, need pointers to tfm... From: Peter Volkov To: gentoo-hardened@lists.gentoo.org Date: Wed, 14 Dec 2011 07:18:07 +0400 In-Reply-To: <20111211145302.GE1990@home.power> References: <4EE3BE6B.6050507@libertytrek.org> <20111210145204.39ec9cba@khorne.mthode.org> <20111211101851.GA1810@gentoo.org> <20111211122043.GD1990@home.power> <20111211142519.GA12313@gentoo.org> <20111211145302.GE1990@home.power> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.2.2 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Archives-Salt: bac2647a-6517-48ed-ac03-de2679fdc5c4 X-Archives-Hash: 292dd08a1db8ff3c5d1193172060755f =D0=92 =D0=92=D1=81=D0=BA, 11/12/2011 =D0=B2 16:53 +0200, Alex Efros =D0=BF= =D0=B8=D1=88=D0=B5=D1=82: > On Sun, Dec 11, 2011 at 02:25:19PM +0000, Sven Vermeulen wrote: > > > 1) How can > > > 4.2.4.1. Root Logon Through SSH Is Not Allowed > > > increase security, if we're already using > > > 4.2.4.2. Public Key Authentication Only > > > Disabling root may have sense with password auth, but with keys= it is > > > just useless inconvenience. > >=20 > > I read somewhere that security is about making things more inconvenie= nt for > > malicious people than for authorized ones. > >=20 > > For me, immediately logging in as root is not done. I want to limit r= oot > > access through the regular accounts on the system (with su(do)). I ne= ver had > > the need to log on as root immediately myself. >=20 > Understood. But I still don't see how this can increase security. To authorize you need pair: login/password or login/priv_key. By requiring login be guessable too you make probability to guess both harder. Remember how debian made possible to brute-force private key[1]? Additional layers really may help in some situations... 1. http://digitaloffense.net/tools/debian-openssl/ -- Peter.