[CentOS] what percent of time are there unpatched exploits against default config?

夜神 岩男 supergiantpotato at yahoo.co.jp
Thu Dec 29 14:53:54 UTC 2011 

On 12/29/2011 10:21 PM, Marko Vojinovic wrote:
> On Thursday 29 December 2011 13:07:56 Reindl Harald wrote:
>> Am 29.12.2011 12:56, schrieb Leonard den Ottolander:
>>> Hello Reindl,
>>>
>>> On Thu, 2011-12-29 at 12:29 +0100, Reindl Harald wrote:
>>>> Am 29.12.2011 09:17, schrieb Bennett Haselton:
>>>>> Even though the ssh key is more
>>>>> random, they're both sufficiently random that it would take at least
>>>>> hundreds of years to get in by trial and error.
>>>>
>>>> if you really think your 12-chars password is as secure
>>>> as a ssh-key protcected with this password you should
>>>> consider to take some education in security
>>>
>>> Bennett clearly states that he understands the ssh key is more random,
>>> but wonders why a 12 char password (of roughly 6 bits entropy per byte
>>> assuming upper&  lower case characters and numbers) wouldn't be
>>> sufficient.
>>
>> so explain me why discuss to use or not to use the best
>> currently availbale method in context of security?
>
> Using the ssh key can be problematic because it is too long and too random to
> be memorized --- you have to carry it on a usb stick (or whereever). This
> provides an additional point of failure should your stick get lost or stolen.
> Human brain is still by far the most secure information-storage device. :-)
>
> It is very inconvenient for people who need to login to their servers from
> random remote locations (ie. people who travel a lot or work in hardware-
> controlled environment).
>
> Besides, it is essentially a question of overkill. If password is not good
> enough, you could argue that the key is also not good enough --- two keys (or
> a larger one) would be more secure. Where do you draw the line?
>
> Best, :-)
> Marko

Hi Marko!
What about IC cards? I use that a lot, and its reduced my need for a 
password to something tiny (6 numbers) and requires a physical key (my 
card). I have the root certificates, private keys, etc. stored offline 
just in case my card goes nuts, which has happened before, but I've 
never had a problem with this.

When traveling I log in to my home server and work servers with my 
laptop. Its really a *lot* easier than using a bunch of pasword schemes. 
I was initially worried that I'd run into a situation where I'd either 
lose my card traveling, or it would get crushed, or whatever -- but that 
hasn't happened in 5 years. What has happened in 5 years of doing this 
is intermittent network outages, work server crashing, web applications 
failing, database corruption, etc.

So from experience (mine and coworkers, at least), it is a lot more 
likely that problems will arise from totally different vectors than 
having ssh keys and ic cards making life complicated -- because from 
this user's perspective its made things a LOT simpler.

But it requires a bit of study. Which most people don't do. More to the 
point most people don't even read popups on the screens, even the big 
red scary ones, so...

More information about the CentOS mailing list