From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 648711384B4 for ; Tue, 10 Nov 2015 16:26:49 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 94744E085D; Tue, 10 Nov 2015 16:26:39 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 85949E0853 for ; Tue, 10 Nov 2015 16:26:38 +0000 (UTC) Received: from [192.168.1.100] (c-98-218-46-55.hsd1.md.comcast.net [98.218.46.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mjo) by smtp.gentoo.org (Postfix) with ESMTPSA id 0C7A4340554 for ; Tue, 10 Nov 2015 16:26:34 +0000 (UTC) Subject: Re: [gentoo-user] OpenSSH upgrade warning To: gentoo-user@lists.gentoo.org References: <56414A8C.1080701@gentoo.org> <56420DB1.80302@gmail.com> <56421438.4080202@gentoo.org> <1702148.kV3uT6Ls87@andromeda> From: Michael Orlitzky X-Enigmail-Draft-Status: N1110 Message-ID: <56421AB8.1080003@gentoo.org> Date: Tue, 10 Nov 2015 11:26:32 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 In-Reply-To: <1702148.kV3uT6Ls87@andromeda> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Archives-Salt: abbd18ae-5c77-4ec1-bfe4-115efb7cd408 X-Archives-Hash: d075de6ae4415d174fc70935d76c10ab On 11/10/2015 11:13 AM, J. Roeleveld wrote: > > What would take longer? > brute-forcing your root-password or a 4096 byte ssh key? > My password, by a lot. The password needs to be brute-forced over the network, first of all. And a 4096-bit public encryption key doesn't provide 4096 bits of security -- you're thinking of symmetric encryption. Regardless, if someone is brute-forcing passwords, it would take them "twice" as long to brute-force both my root password and the password on my SSH key as it would to do the root password alone. I can do better than 2x by adding a character to my password. And that's pointless, because it would already take forever. No-more-Earth forever. > >> All of the good attacks (shoot me, bribe me, steal the hardware, etc.) >> that I can think of work just fine against the two-factor auth. The only >> other way to get the root password is to be there when I transfer it >> from my brain to the terminal, in which case you have the SSH key, too. > > The ssh-key is stored on your desktop/laptop. Secured with a passphrase. > If my machine is compromised, the attacker can see both the SSH key password when I type it, and the root password when I type that.