[CentOS] Server Hacked: Cpanel

Rodrigo Barbosa rodrigob at darkover.org
Wed Aug 9 18:01:24 UTC 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Aug 09, 2006 at 01:15:29PM -0400, William L. Maltby wrote:
> My question is: is there a scenario where the public key based solution
> is just totally inappropriate? Am I overrating the value of going
> "passwordless"?

No to both questions.
I use the same thing on all my servers (only keys, no plain-text).

However, there is a 3rd authentication option. The first 2 are:

- - Password
- - Public Key

the 3rd being:

- - Challenge/Response

Challenge/Response authentication include things like S/KEY and
OTPW (One Time PassWord).

If we give Password authentication a security rating of 0, and
Public Key a security rating of 10, a good challenge/response
method will offer you something like 9. They are a very good
alternative when you can't, for one reason or another, use only
key auth. And just like for passwords, you can have both key and 
challenge methods enabled.

There is one particular critical server here that I need to be
able to access no matter what. Even if I need to go into a lanhouse
to do it. In that case, using a public key is at least unadvisable,
since others can try grabbing it at the time. So, Challenge/Response
is a very good way to go, since it doesn't matter if someone else
get my password (the password will work only once).

> I'm also using an IPCop firewall w/no access from the 'net for now. But
> if/when I "open 'er up" a little, I would like to believe I'm doing the
> best job I can.

If you has the option of only using keys, then that is the way to go.
Make sure all other authentication methods are disabled for extra
points.

- -- 
Rodrigo Barbosa
"Quid quid Latine dictum sit, altum viditur"
"Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFE2iL0pdyWzQ5b5ckRAhuaAJ9ZYmmOJ8Y09cahUNXhtPICpyer0wCcCIkv
yIqNbDjSz6B4aHxogMy8log=
=Kn5p
-----END PGP SIGNATURE-----



More information about the CentOS mailing list