But think of it this way: you see all those log files with people trying to GUESS usernames: fred, mary, joe, jane.... wouldn't it be better to NOT allow root access so they MUST guess your username as well as key, and password? Three phase authentication is always better than two!
- Donald Tripp ---------------------------------------------- HPC Systems Administrator High Performance Computing Center University of Hawai'i at Hilo 200 W. Kawili Street Hilo, Hawaii 96720
On Dec 22, 2006, at 11:00 AM, Dmitriy Kropivnitskiy wrote: Dylan Semler wrote: > Here's something that I've always been curious about. I assume that the dangers of allowing root log-in are: 1. It's a user name that every linux system (except ubuntu) has, so all a hacker needs is the correct password in order to gain access, rather than the correct user name and password. 2. Once access is gained, there are no restrictions on what the user can do, as they are root. However, if you use an 8-digit password with capital and lowercase letters, numbers, and symbols, there are 8^( 26*2 + 10*2 + 20 ) = 8^92 = 1.21e83 possible passwords. Since ssh waits about a second after each incorrect password and there have been only 3.32e17 seconds in the history of the universe, it seems scritcly /impossible/ for a password to be guessed. So the risk must not be from password-bots. What is the risk then?
This was my question as well, but I want to up this a bit. I actually disallowed password authentication over SSH. I only allow root and only with a correct key. Obviously someone could steal my key. But the key is password protected, so they would have to steal my password too. Now, at this stage actually creating a separate account on my box, an account I will never use for anything except to do su - seems ridiculous. Mind you that I do not do anything on my servers that doesn't require root privileges.
-- fedora-list mailing list
|
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list