-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Fri, 14 Mar 2014 18:31:32 +0100 Thomas Sigurdsen <thomas.sigurd...@gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi list. > > I have for some time now been trying to avoid using passwords as much > as possible, preferring encryption keys instead (e.g. public private > key encryption like gpg and such). I have also started using longer > randomised passwords I shouldn't remember; storing them instead in a > safe place (e.g. encrypted memory card or flashdisk). > > So when setting up a new Gentoo machine today and being about to > enter a new root password I found myself wanting a way of doing > authentication through some other means than remembering a password, > like gpg or certificates. Does this exist; and if anyone has had > experience with it, is it worth the hassle? And if this is a bad way > of doing root authentication, why/how? You can use ssh keys (PK crypto) with ssh daemon if the access is over network. If you need to login physicaly at the machine, you could hack together something that reads an inserted usb stick or memory card with a symmetric key and then make the login. In order to use the stick with PK crypto you would need to also hack together a usb stick that act's as an USB gadget or USART and responds to the challenge. In any case, if someone can get physical access to the token, you are screwed. To fix this, you would also need a way for the user to enter a password on the token that's active for a short period of time. But what problem did we want to solve in the first place? Anyway, might be helpful when the token can be used with many/multiple systems. > Also the machine in question will have more than one user and a subset > of the users shall have access to the root account. The requirement of shared root makes the strong authentication requirement kinda dubious as that's (typically) insecure by default. Also you might want to rather use sudo than granting root access. > - -- > Thomas Sigurdsen > browniehive.net > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQEcBAEBAgAGBQJTIzzwAAoJEMUjE08Xv1s5uoAH/3v9b2LjOu2HFsCgjcThFFrn > 00bnxQRTsxLrtnltF6UKF0GBS3cs6vNRTevVCX9t8xOBRD8/ATp83U/tzx0EgYVP > 6LItUcbwdv41IcmVcPYqu8AzNRDyaUQswh8KV7Cpq3IPbhYkn5CkOlVorWEZxDrn > veuBJ7FEGHDppJDkdSAfNGlhtOL1UphuVy4M024NliGbNVqGgeo/42mmg21mLayG > js/5fG2NkT+Zgi59UY6+NHk08r6qk5qjhWXlsPjMrbGKaX483nNwLFHFxA8bNB6H > cZqB7GOxDlXi7dtcbBA3YRn1yKUtCDDiT8Gk/mKvTaiZtsORToAoinaxrT0y/Zo= > =iGQn > -----END PGP SIGNATURE----- > - --- Jan Matějka | Developer https://gentoo.org | Gentoo Linux GPG: A33E F5BC A9F6 DAFD 2021 6FB6 3EBF D45B EEB6 CA8B -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBCgAGBQJTI4iFAAoJEIN+7RD5ejahE/gH+wYfUaRKEqqkvg6nCTv4nwZa YMDNF3Bg8Cn5xakSz762jjpaoTwsVEgIncoBv9jQtugtmv1KpfPhTP9EV8pZFTs+ Gynpz9hcaJWuN+ss0hmqeYukS9crvGYTkT1vnHgNOcM+pqgvm7wRwNvSjTSzovwc 5xGBbt4e4bt3XKp1rp2aysEXkC8FUjvZCm5E33VOd5KkXGX+WS3Q7SM0Ec7oMFi1 oz0wCAi4O3kAdAGsEZk5Z1tYIQzCmcc/vwOYkfGYTW4H00kbVmtmEJ7YjREA+q5X jZFZEGZgEDIwtDHsexPfgX8U9r94p0IFBtiMyd8MP2RZNaVnIbuVoodZ3818X7I= =i0Lq -----END PGP SIGNATURE-----
