Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi!
I have a server running Ubuntu Server 12.04.03 LTS, and it currently has keyfile-only authentication. However, I was thinking about setting it back to a password login, mainly for convenience. I am the only user of the server. Also, it does not listen of port 22.
Is password login a big no-no, or is it safe if there is a long enough password? What should a good password look like?
security is a difficult thing to give advice on...
it really comes down to comforts and preferences
you say you want to go back to passwords for convenience sake but for some the keyfile may be more convenient,
you are free from keeping track and memorising many different passwords for many different services, also good passwords should be difficult to memorise
which leads to your second question of what a good password looks like,
well a good password, again is about your interests
if you are the only one on this server and your work is pretty anonymous then a password for you may just be about detering superficial shenanigans and so a good password would be one you can easily remember
if you are talking about high security password then you would want to go with something that looks like the output of a hash function: c0e81794384491...
numbers and letters seemingly randomised
if you use common words the attacker can use a dictionary attack but if an attacker wants to guess your password and you have a password like this then the attacker would have to guess every possible combination of letters, 26 a-z, and numbers, 10 0-9
at 36 possible characters for each character of the password string you can calculate the number of guesses by taking 36**(PASS_LEN)
I have a server running Ubuntu Server 12.04.03 LTS, and it currently has keyfile-only authentication.
Good, that's how I set up all my machines. I also have have "PermitRootLogin no" and make use of "AllowUsers".
Quote:
However, I was thinking about setting it back to a password login, mainly for convenience. I am the only user of the server. Also, it does not listen of port 22.
That doesn't hurt and may reduce the number of entries in your logs, but do a search on "security through obscurity" and read what pops up.
Quote:
Is password login a big no-no, or is it safe if there is a long enough password?
A password being long is not enough to make is strong.
I suggest you stick with what key based authentication. Protect your keys with a strong passphrases and if you need to, carry them with you on a usb stick.
(..) I was thinking about setting it back to a password login, mainly for convenience. I am the only user of the server. Also, it does not listen of port 22. Is password login a big no-no, or is it safe if there is a long enough password? What should a good password look like?
I disagree: the port the service listens on doesn't enter the equation and you being the only user doesn't matter either. Many things get sacrificed under the misnomer of "convenience" and in this case (unless you care to explain otherwise) completely unnecessary as you would just use ssh-agent to load your keys for the duration of your session. Also see screen, autossh and sshfs.
The strength of a key, versus a password, is that it is unique and non-forgeable. Therefore, you can issue access to individual people and revoke it to individual people. The (private) key, itself, should of course be encrypted. But, even if the equipment upon which the key was stolen and the owner forced to divulge the password (ouch!), you can still individually deny access by that key.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.