Re: authorized_keys and security
From: Richard Caley (_at_)
Date: Wed, 28 May 2003 07:42:01 GMT
In article <firstname.lastname@example.org>, Boris Glawe (bg) writes:
bg> Is it right, that anybody with root access - be this a sysadmin or a
bg> hacker - has access to [keys] ?
bg> He/She could copy the files to it's own homedirectory and could login
bg> to my areas !?
If they have root access they can become you by just saying
If they have root access they can do anything to anything on this
machine. If they have root access it is more or less game over.
bg> What is so secure than with this authentication mechanism ?? My
bg> password is in my head, but the key is plaintext on the disk, which
bg> can be accessed, if the system's security mechanism does not protect
Your private keys should have passphrases. This means that someone who
just gets access to the files won't get access to your remote
However, if they have root access and the time to wait, all bets are
off with passwords, whether they are on keys or directly for login. I
think the only schemes with some protection when the local machine is
compromised are going to be things like one time passwords and
-- Mail me as MYFIRSTNAME@MYLASTNAME.org.uk _O_ |<