LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Desktop (https://www.linuxquestions.org/questions/linux-desktop-74/)
-   -   Two passwords for console login and remote login (https://www.linuxquestions.org/questions/linux-desktop-74/two-passwords-for-console-login-and-remote-login-4175472709/)

asarangan 08-08-2013 05:34 PM

Two passwords for console login and remote login
 
Is it possible to have two passwords - one for console login and one for remote login?

My computer is in a secure office, so I am not concerned about someone physically breaking in. However, it is a different story from the network. I have hackers trying to break in almost daily.

My strategy has been to use a very long and cryptic password. But that also makes it difficult for me when logging in from the console. Even the screen lock is a problem. I end up writing the passwords on a piece of paper, but that is even worse.

A two password system would be a nice solution. Does it exist?

Z038 08-08-2013 08:41 PM

How are you logging in remotely? If you are using ssh, then you can set up passwordless login using an RSA public/private key pair. You would then disable password login in your ssh config. Local console logins would still require your normal login password, but the ssh login would use only the public/private RSA key.

asarangan 08-08-2013 11:12 PM

Quote:

Originally Posted by Z038 (Post 5005971)
How are you logging in remotely? If you are using ssh, then you can set up passwordless login using an RSA public/private key pair. You would then disable password login in your ssh config. Local console logins would still require your normal login password, but the ssh login would use only the public/private RSA key.

Yes I am using RSA key pairs to login without a password remotely. This is what allows me to set a strong password and not have to type it every time. The problem is when I have to login from the console. I end up writing the password on a piece of paper and then carrying it with me. It is way too clumsy and slow. I am tempted to just use a simple password but it defeats the purpose.

Having different passwords for remote and local logins would be a nice feature, but it looks like it may not be possible.

Z038 08-09-2013 12:03 AM

You could use Diceware to create a strong passphrase. Since the diceware method creates a passphrase composed of several words chosen randomly, they aren't hard to remember.

Some may disagree with me, but I think there is really nothing wrong with writing down a password, so long as you treat it like you would your credit cards or cash. Keep your password written down in a safe place, like in your wallet.

You said your concern was mainly attacks over the network. Since you said you are using RSA key pairs, I presume the daily hacking attempts you referred to are via ssh. If you disallow password login in sshd_config by specifying the "PasswordAuthentication no" option, and you have enabled RSAAuthentication and PubkeyAuthentication, then you don't need to make your local console login password so difficult that you can't remember it because no one will be able to login via ssh with a password. Even if someone knew your password, they couldn't login with it via ssh if PasswordAuthentication is disabled. You might consider also setting "PermitRootLogin no" and limit which accounts can login with the AllowUsers option.

asarangan 08-13-2013 09:27 AM

Quote:

Originally Posted by Z038 (Post 5006042)
You could use Diceware to create a strong passphrase. Since the diceware method creates a passphrase composed of several words chosen randomly, they aren't hard to remember.

Some may disagree with me, but I think there is really nothing wrong with writing down a password, so long as you treat it like you would your credit cards or cash. Keep your password written down in a safe place, like in your wallet.

You said your concern was mainly attacks over the network. Since you said you are using RSA key pairs, I presume the daily hacking attempts you referred to are via ssh. If you disallow password login in sshd_config by specifying the "PasswordAuthentication no" option, and you have enabled RSAAuthentication and PubkeyAuthentication, then you don't need to make your local console login password so difficult that you can't remember it because no one will be able to login via ssh with a password. Even if someone knew your password, they couldn't login with it via ssh if PasswordAuthentication is disabled. You might consider also setting "PermitRootLogin no" and limit which accounts can login with the AllowUsers option.

Thank you for that suggestion. I liked the idea of disabling root login via ssh. That way I was able to set up a simple password for root and not have to worry about breakins through the network.

However, it would still be a good idea if users could set up different passwords for different methods of access. I am actually surprised why this has not been thought of yet.

PTrenholme 08-13-2013 10:38 AM

Is there any reason that you couldn't set up different users (as members of the same group) using the same home directory? Then the SSH user/password combination would be different from the local user/password combo, but they would be almost identical otherwise. (The only problem would be files that default to different access permissions for the user and group, and you could set up a chron job [or a .bashrc script) to make any necessary adjustments.)


All times are GMT -5. The time now is 11:41 PM.