[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ale] I was hacked!

I thought the same in the first minute, but realized that it doesn't add
any operational security. If machine A, user B is compromised (B at A) and
B's key's are used to login to B at C using keys, and B has sudo access, then it's
trivial for the hacker to login to B at C, change B's password on C, then use
it to gain root access on C.

I almost start to wonder if passwordless keys really improve security.


On Mon, Nov 04, 2019 at 04:10:41PM -0500, dj-pfulio via Ale wrote:
>  >> directly. Perhaps 2006?  First thing I do on any new machine is add an
> >> account with sudo rights.
> > 
> > I don't see the operational difference between ssh'ing into root (using a
> > key) and ssh'ing into another account using a key and then sudo'ing to
> > root.  You're still getting into the machine via a key?
> > 
> 2 authentication levels seems to be better than 1, but everyone has different requirements.
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> https://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo

Byron A. Jeff
Associate Professor: Department of Computer Science and Information Technology
College of Information and Mathematical Sciences
Clayton State University