Re: HELP! I've been had! Someone hacked into my Linux box. What now?

"jg" <juangarcia@xxxxxxxxxxxxxx> (06-11-10 11:57:01):

Also, what can I do in the future to prevent something like this from
happening again? I thought my passwords were pretty secure... but I
guess I was mistaken. I cannot really do a private/public key since I
need access to my box from multiple locations. Also, is this more
secure?

All other questions have been answered, so I'd like to answer this last
one. Yes, public key authentication is much more secure than password
authentication. People need your private key to be able to authenticate
themselves. Why is this a problem for the attacker?

Firstly, the people have to know your public key to be able to recover
your private key at all. If they don't know it, they've lost. However,
the whole sense between public key cryptography is that your public key
_is_ known to the public. So obviously, even with the knowledge of your
public key, it is hard to recover your private key; much harder than
guessing a password with 30 random characters.

The fact that your public key may be published without worries, and
since the server really only needs to know your public key to
authenticate you, brings one major advantage: You can use the same key
to authenticate to arbitrarily many servers. You don't need a separate
key for every server.

In other words: It's not only more secure, it's even much easier. Just
take your private key with you. Place it on a USB stick and carry that
one on your key-chain. You'll still want to encrypt it (in easier
words: protect it by a passphrase), in case you lose it. The key
generator (ssh-keygen) asks for a passphrase anyway, so you don't just
press Return.


Regards,
E.S.
.

Relevant Pages

  • Re: Efficent Digital Signature Schemes.....
    ... > is secure, for FAI soaring badges, contests and even world records! ... > The private key is stored inside a sealed unit with a barometer port ... > The public key is widely distributed as a software tool, ... raw GPS data, not the converted coordinates. ...
    (sci.crypt)
  • Re: Asymmetric encryption questions
    ... >>> I want to use public, private key encryption so after looking at the ... >>> Do I need to extract out the public key for my client or just provide ... >> .NET has no managed support for secure key storage. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: I have installed my digital certificate,but where is my public key?
    ... You don't need to worry about your public key. ... I posted to you once how to secure your privacy, ... Personally I have certificates for such purposes (on-line ... have a backup of your private key in secure place (e.g. exported and ...
    (microsoft.public.security)
  • Re: HELP! Ive been had! Someone hacked into my Linux box. What now?
    ... I thought my passwords were pretty secure... ... People need your private key to be able to authenticate ... the people have to know your public key to be able to recover ...
    (comp.os.linux.security)
  • Re: X509 certificates with ssh
    ... The keytool utility does not allow you to ... extract the private key from it's Java Key Store file. ... >> can authenticate to an account I have on another system. ... I did not find a canonical way to extract a public key ...
    (comp.security.ssh)