Jakob77 wrote: Tue Jul 25, 2023 6:48 am
Andy
...
He says something about a secret username also can be important because it will force the cracker to guess that too, and that will make it much more difficult.
If that is true in this context it tells me that we need the root password to be significantly stronger than the others. Not just because root has the most privileges but also because it is the only username the cracker likely knows for sure.
...
Consider using key-based authentication.
If we are talking about SSH prompt, open from outside, I have some research already done.
I will illustrate it on the use case of SecureShell service. If you need to administrate your computer from remote location, you are leaving SSH service running and accessible from outside. In case of using normal typed password, this will expose the option to try to login to your device to practically everyone, if not restricted to particular IP addresses.
So without further hardening of the system, the attacker can try very many different passwords. Weak passwords mean fewer tries for actually finding them.
Passwords with greatest strenght (it is called entropy - how big the haystack, where attacker is searching your needle, is), which are absolutely resistible to this type of attack, are unfeasible to type.
By making passwords reasonably short and/or rememberable (and I mean no "short" ones, but 12-16 characters at least, truly random, with special characters), they become weak to some types of attack.
So for SSH, this problem is solved by using pre-generated keys.
good info here:
https://www.cyberciti.biz/tips/linux-un ... tices.html
https://www.digitalocean.com/community/ ... nux-server
https://linuxhandbook.com/known-hosts-file/
https://tylercipriani.com/blog/2017/09/ ... ascii-art/
https://stribika.github.io/2015/01/04/s ... shell.html
How it should work, when you need to authenticate yourself to such system? In a nutshell, you must first generate your keyfile (you can protect this keyfile with its own password, then it will become double protection). Then, you setup your server to accept your particular keyfile, by uploading the public part of the keyfile to your server. Then you can access your server from some remote location by using your private part of the keyfile and by providing the passphrase to unlock or decrypt this private part of your keyfile on the device (SSH client) from which you are connecting to your server. Then the SSH client will be able to prove to your remote SSH server, that it really is the one who is allowed to go in.
Obviously, you must keep your private keyfile confident. If it leaks, its strenght shrinks only to the strength of the passphrase by which it is encrypted.
But if the keyfile is only in possession of you, and nobody else, the strength of this authentication is astronomically greater. (4096 bit in comparision to say 80-120 bit with normal 12-16 character random password). Adding each bit doubles the size of the haystack, which hides the "needle" - the password/keyfile.
"Guessing the keyfile" is essentially impossible, with any hardware ever known, even combined. (except one particular kind of hypothethical future quantum computers).
So, if an attacker has some access to your system, albeit not root access, and you are using just normal password, maybe he can bruteforce your password. In this case you can make his life much harder, by using this technology for ordinary local authentication. You gain enormous robustness against attacks by brute force.
You have to search yourself, or somebody can provide links, as I have not made my research this way yet.
Just a quick search. I meant exactly this.
https://linuxconfig.org/linux-authentic ... usb-device
Anyway, I need some confirmation of an expert, if this particular solution is really secure and do not have backdoors or weaknesses, because I do not know nothing about that particular fork, and seems suspicious to me why
The pam_usb software, once widely available for installation on any major Linux distro, no longer exists in any package repositories.
But it is cheap (you need just USB key), and available.
Regards,
Andy
