Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

possible to make local login only possible with rsa key?
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
gerrit
n00b
n00b


Joined: 24 Jul 2004
Posts: 53
Location: Germany
PostPosted: Thu Apr 14, 2005 11:05 am    Post subject: possible to make local login only possible with rsa key? Reply with quote
Is there a possibility to restrict local access to a gentoo linux machine to users that have got the correct private RSA key let's say on an USB stick ?

So that I can't log into the machine without that RSA key on the USB stick at all.

I've searched the net about that topic but could not find much information.

Thanks in advance!

gerrit
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54798
Location: 56N 3W
PostPosted: Thu Apr 14, 2005 1:40 pm    Post subject: Reply with quote
gerrit,

Not if users have phyiscal access to the box.
Any user that has physical access can get root by booting with a live distro.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
D2T
Tux's lil' helper
Tux's lil' helper


Joined: 07 Mar 2005
Posts: 96
Location: Behind You
PostPosted: Thu Apr 14, 2005 1:43 pm    Post subject: Reply with quote
NeddySeagoon wrote:
gerrit,

Not if users have phyiscal access to the box.
Any user that has physical access can get root by booting with a live distro.


Remove boot from cd from the BIOS options and password it? Of course they could open up the box and short a jumper to reset the password... Padlock on the computer case, and make sure there are no bolt cutters withing a 0.5 mile radius? :lol:

Seriously though, if someone has physical access to a computer they'll find a way to get in if they really want to. But for most the BIOS password and disabling boot from cd should be enough to deter them. It all depends on who your trying to keep out...the annoying sibling or the 5up3r 1337 h@x0r3r.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54798
Location: 56N 3W
PostPosted: Thu Apr 14, 2005 1:54 pm    Post subject: Reply with quote
D2T,

... and floppy, and usb and network and any other removable media.

More seriously, you can make the login script mount and check for certain contents of a file on a USB stick and deny login if its missing.
You can use any data on the USB, it need not be a RSA key.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
D2T
Tux's lil' helper
Tux's lil' helper


Joined: 07 Mar 2005
Posts: 96
Location: Behind You
PostPosted: Thu Apr 14, 2005 2:03 pm    Post subject: Reply with quote
Quote:
... and floppy, and usb and network and any other removable media.


Very true, and I'm sorry if my point was a little vague. It wasn't that just disabling the cd boot would make the machine locked down. It was that local access always presents a security risk, but if you're willing to give people local access, then there are still ways to minimize the risk.

Your original post made it seem like he should just give up (at least to me) because someone might find xyz way to get in anyway. And that does not warrant "leaving doors open" just cause you may not get them all closed. Any attempt at security is better than none. But again, I wasn't clear in my original post. And I probably misinterpreted yours.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54798
Location: 56N 3W
PostPosted: Thu Apr 14, 2005 2:17 pm    Post subject: Reply with quote
D2T,

Security is never absolute, its always a trade off. That was really the point of my first post.
An RSA key on a USB device for local login is really over the top.
All the data that you really want to protect is still in clear.
Its possibly better to use standard logins but encrypt users (and other) filesystems with a key held on USB.
That way, the data is still useless to an attacker without the key.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
D2T
Tux's lil' helper
Tux's lil' helper


Joined: 07 Mar 2005
Posts: 96
Location: Behind You
PostPosted: Thu Apr 14, 2005 2:39 pm    Post subject: Reply with quote
Well it seems we were in agreement all along :wink:

I also agree that an encrypted filesystem w/USB key would definitely be a better option.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy