[ale] I was hacked!
Byron Jeff
byronjeff at clayton.edu
Mon Nov 4 16:57:28 EST 2019
I thought the same in the first minute, but realized that it doesn't add
any operational security. If machine A, user B is compromised (B at A) and
B's key's are used to login to B at C using keys, and B has sudo access, then it's
trivial for the hacker to login to B at C, change B's password on C, then use
it to gain root access on C.
I almost start to wonder if passwordless keys really improve security.
BAJ
On Mon, Nov 04, 2019 at 04:10:41PM -0500, dj-pfulio via Ale wrote:
> >> directly. Perhaps 2006? First thing I do on any new machine is add an
> >> account with sudo rights.
> >
> > I don't see the operational difference between ssh'ing into root (using a
> > key) and ssh'ing into another account using a key and then sudo'ing to
> > root. You're still getting into the machine via a key?
> >
>
> 2 authentication levels seems to be better than 1, but everyone has different requirements.
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> https://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
--
Byron A. Jeff
Associate Professor: Department of Computer Science and Information Technology
College of Information and Mathematical Sciences
Clayton State University
http://faculty.clayton.edu/bjeff
More information about the Ale
mailing list