[lug] root password

David L. Anselmi anselmi at anselmi.us
Wed Aug 2 22:17:10 MDT 2006

Rob Nagler wrote:
> However, the cracker will now have an authorized_keys file for each
> user that you let have authorized keys.  From that point on, it's a
> simple problem: run a cracker program that is available to
> script-kiddies on these files offline on the Microsoft CrackGrid(tm).

No, actually.  If this were true SSH and everything else that uses the 
RSA/DSA algorithms would be cracked.

The authorized keys file contains public keys so it's safe to put on the 
remote machine.  It's the private key that you keep on your laptop you 
have to be careful with.

It's much easier to crack your password after compromising the remote 
machine than it is to crack your private key (stored on your 
laptop)--that's why turning off password authentication is a good thing.

Like you said, security is tricky.


More information about the LUG mailing list