[lug] root password
David L. Anselmi
anselmi at anselmi.us
Wed Aug 2 22:17:10 MDT 2006
Rob Nagler wrote:
[...]
> However, the cracker will now have an authorized_keys file for each
> user that you let have authorized keys. From that point on, it's a
> simple problem: run a cracker program that is available to
> script-kiddies on these files offline on the Microsoft CrackGrid(tm).
No, actually. If this were true SSH and everything else that uses the
RSA/DSA algorithms would be cracked.
The authorized keys file contains public keys so it's safe to put on the
remote machine. It's the private key that you keep on your laptop you
have to be careful with.
It's much easier to crack your password after compromising the remote
machine than it is to crack your private key (stored on your
laptop)--that's why turning off password authentication is a good thing.
Like you said, security is tricky.
Dave
More information about the LUG
mailing list