From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id A25391384B4 for ; Tue, 10 Nov 2015 21:24:05 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 35A4021C010; Tue, 10 Nov 2015 21:23:56 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 170E0E07FE for ; Tue, 10 Nov 2015 21:23:54 +0000 (UTC) Received: from [192.168.1.100] (c-98-218-46-55.hsd1.md.comcast.net [98.218.46.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mjo) by smtp.gentoo.org (Postfix) with ESMTPSA id C580B33BF0B for ; Tue, 10 Nov 2015 21:23:52 +0000 (UTC) Subject: Re: [gentoo-user] OpenSSH upgrade warning To: gentoo-user@lists.gentoo.org References: <56414A8C.1080701@gentoo.org> <56420DB1.80302@gmail.com> <56421438.4080202@gentoo.org> <1702148.kV3uT6Ls87@andromeda> <56421AB8.1080003@gentoo.org> <20151110215257.032cf534@hal9000.localdomain> <56425AD5.9040400@gentoo.org> <20151110221149.47a15177@hal9000.localdomain> From: Michael Orlitzky X-Enigmail-Draft-Status: N1110 Message-ID: <56426066.6020908@gentoo.org> Date: Tue, 10 Nov 2015 16:23:50 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 In-Reply-To: <20151110221149.47a15177@hal9000.localdomain> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Archives-Salt: 5a8e3d52-e814-4614-bbfd-5d8a52cea06c X-Archives-Hash: 58c2ba7ac17a5ed1cfbbb90ef278e088 On 11/10/2015 04:11 PM, wabenbau@gmail.com wrote: > > You can disable password login for that user on the server. Then he > can only login via ssh key. Only with the knowledge of the root > password it is not possible to gain root access to the server. An > attacker also needs the ssh key. And with a camera, keylogger, or > measuring radiation he can not fetch that key. > This is pretty close to what I originally asked for, thank you. If you disable all password logins to the server AND disable remote root logins altogether, then you can stop someone from gaining root by peeking over your shoulder as you type. Unless they bash you over the head and swipe your laptop. But still, I'll take it.