Re: authorized_keys and security

From: Richard Caley (_at_)
Date: 05/28/03

  • Next message: Richard Caley: "Blocking port forwarding etc."
    Date: Wed, 28 May 2003 07:42:01 GMT
    
    

    In article <bb0rdf$rg5$1@newsreader2.netcologne.de>, Boris Glawe (bg) writes:

    bg> Is it right, that anybody with root access - be this a sysadmin or a
    bg> hacker - has access to [keys] ?

    bg> He/She could copy the files to it's own homedirectory and could login
    bg> to my areas !?

    If they have root access they can become you by just saying

            su YOURID

    If they have root access they can do anything to anything on this
    machine. If they have root access it is more or less game over.

    bg> What is so secure than with this authentication mechanism ?? My
    bg> password is in my head, but the key is plaintext on the disk, which
    bg> can be accessed, if the system's security mechanism does not protect
    bg> them...

    Your private keys should have passphrases. This means that someone who
    just gets access to the files won't get access to your remote
    accounts.

    However, if they have root access and the time to wait, all bets are
    off with passwords, whether they are on keys or directly for login. I
    think the only schemes with some protection when the local machine is
    compromised are going to be things like one time passwords and
    challenge-response systems.

    -- 
    Mail me as MYFIRSTNAME@MYLASTNAME.org.uk        _O_
                                                     |<
    

  • Next message: Richard Caley: "Blocking port forwarding etc."