Michael Orlitzky <m...@gentoo.org> wrote: > On 11/10/2015 03:52 PM, waben...@gmail.com wrote: > > > > That's right. If an attacker has the full control over your machine > > then it doesn't make any difference. > > > > But if he can only see what you are typing, for example by a > > keylogger or by detecting the electromagentic radiation of your > > keyboard or by watching your keyboard with a camera, then he can do > > nothing with the root password of your server when root login with > > password is forbidden. > > > > I said I would give up but I lied. > > The scenario that we're talking about has the user log in via an SSH > key to some server. Once he's logged in to the server, the user uses > "su" or "sudo" to become root. This requires that he type the root > password. So a keyboard camera would still obtain the password. > > If you never actually obtain root access, of course you are safe =)
You can disable password login for that user on the server. Then he can only login via ssh key. Only with the knowledge of the root password it is not possible to gain root access to the server. An attacker also needs the ssh key. And with a camera, keylogger, or measuring radiation he can not fetch that key. -- Regards wabe
