Re: [tlug] bootable linux with sshd

["Fergal Daly" <fergal@example.com>]

On 03/01/07, Curt Sampson <cjs@example.com> wrote:
> For this particular case, you've gone right off the rails.
>
> If the attack you're defending against is *only* guessing of the secrets
> necessary to log in to that computer, you'd be correct. But in that
> case, given that an ssh private key contains very nearly the same amount
> of information (i.e., is almost exactly "as long") as an ssh private key
> plus two long passphrases, there's no point in using anything but the
> ssh key.
>
> However, this is not the attack you're defending against. Nobody's going
> to guess that in your lifetime.
>
> So, if they need an ssh key to log in (which they do if you've disabled
> password logins), they need to steal it. Someone with access to your
> hardware could probably do this without too much difficulty. Once

Someone with access to my hardware could key-sniff my ssh passphrase
and sudo password. There is pretty much no defense against someone
with access to my hardware (beyond military hardening and tamper proof
seals etc). I have never checked whether a software key sniffer has
been installed on any of my machines, I probably never will similarly
for a hardware key sniffer.

I am not defending myself against this attack. If you genuinely are
defending yourself against this attack then you should really have
even more hardware - like a one-time-secret card etc, otherwise you
are not really defended,

F