Re: [gentoo-user] OpenSSH upgrade warning

[<wabenbau@gmail.com>]

Michael Orlitzky <mjo@gentoo.org> wrote:

> On 11/10/2015 11:13 AM, J. Roeleveld wrote:
> > 
> > What would take longer?
> > brute-forcing your root-password or a 4096 byte ssh key?
> > 
> 
> My password, by a lot. The password needs to be brute-forced over the
> network, first of all.
> 
> And a 4096-bit public encryption key doesn't provide 4096 bits of
> security -- you're thinking of symmetric encryption. Regardless, if
> someone is brute-forcing passwords, it would take them "twice" as long
> to brute-force both my root password and the password on my SSH key as
> it would to do the root password alone. I can do better than 2x by
> adding a character to my password. And that's pointless, because it
> would already take forever. No-more-Earth forever.
> 
> 
> > 
> >> All of the good attacks (shoot me, bribe me, steal the hardware,
> >> etc.) that I can think of work just fine against the two-factor
> >> auth. The only other way to get the root password is to be there
> >> when I transfer it from my brain to the terminal, in which case
> >> you have the SSH key, too.
> > 
> > The ssh-key is stored on your desktop/laptop. Secured with a
> > passphrase.
> > 
> 
> If my machine is compromised, the attacker can see both the SSH key
> password when I type it, and the root password when I type that.

That's right. If an attacker has the full control over your machine
then it doesn't make any difference. 

But if he can only see what you are typing, for example by a keylogger 
or by detecting the electromagentic radiation of your keyboard or by 
watching your keyboard with a camera, then he can do nothing with the 
root password of your server when root login with password is forbidden.

Just my two cents. ;-)

--
Regards
wabe