From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 92A771384B4 for ; Tue, 10 Nov 2015 17:18:05 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 8BA9DE086A; Tue, 10 Nov 2015 17:17:52 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 6372CE084D for ; Tue, 10 Nov 2015 17:17:51 +0000 (UTC) Received: from [192.168.1.100] (c-98-218-46-55.hsd1.md.comcast.net [98.218.46.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mjo) by smtp.gentoo.org (Postfix) with ESMTPSA id 2F06F340739 for ; Tue, 10 Nov 2015 17:17:50 +0000 (UTC) Subject: Re: [gentoo-user] OpenSSH upgrade warning To: gentoo-user@lists.gentoo.org References: <56414A8C.1080701@gentoo.org> <56420DB1.80302@gmail.com> <56421438.4080202@gentoo.org> <1702148.kV3uT6Ls87@andromeda> <56421AB8.1080003@gentoo.org> From: Michael Orlitzky X-Enigmail-Draft-Status: N1110 Message-ID: <564226BB.7060908@gentoo.org> Date: Tue, 10 Nov 2015 12:17:47 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 In-Reply-To: <56421AB8.1080003@gentoo.org> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Archives-Salt: 3a5994cb-8597-4a61-ab76-fc820dc67a7d X-Archives-Hash: 1239081ba8bc41c9523149075f2deac3 On 11/10/2015 11:26 AM, Michael Orlitzky wrote: > On 11/10/2015 11:13 AM, J. Roeleveld wrote: >> >> What would take longer? >> brute-forcing your root-password or a 4096 byte ssh key? >> > > My password, by a lot. The password needs to be brute-forced over the > network, first of all. I realized this wasn't correct while I was in the shower =P To tell if you decrypted the key properly, you need to send it over the network, so verification of a brute-force attempt on the SSH key takes about the same amount of time as a brute-force attempt on the root password. The root password in my head is safe against crypto attacks though, so if we're just arguing for fun, it's probably still safer. Adding the key *in addition to* the root password still only gives you a constant factor improvement, and I'm not worried whether it takes the bad guys 4,359,811,353 or 8,719,622,706 years to log in. My time would be better spent taking karate lessons to prevent one of those other attacks I mentioned.