[ltp] Re: Encryption - security?

Danny Cautaert linux-thinkpad@linux-thinkpad.org
Thu, 18 Aug 2005 05:52:01 +0000 (UTC) 

On 2005-08-11, Richard Neill <rn214@hermes.cam.ac.uk> wrote:
>> You forgot here that your /etc/passwd is not encrypted and a possible
>> target for dictionary attacks. A possible improvement is adapting your
>> pam configuration to replace the standard unix authentication
>> (pam_unix.so) with pam_ssh.so (use your ssh passphrase to log in) or
>> pam_usb.so (use a usb-stick to log in)
>
> Even if I use /etc/shadow?

It might not seem too important but it all depends on your level of
paranoia. Why are you encrypting your precious data in the first place?
Because you want to add a layer to those who already got root on your
box, right? So imagine this scenario: someone finds your laptop
unattended and powered off. Lots of possibilities to get root on it. He
wont get to your data as your data is on the encrypted partition which
is not mounted, but he can steal your /etc/shadow, throw a dictionary
attack on it and find a password that gives access to your regular user
account. Now he only has to wait to find your laptop unattended and
suspended to ram and he gets to your data because the same password is
the one asked to unlock your screensaver/locker/whatever...

> Yes - granted, it's a tradeoff. What I really meant was "Have I 
> overlooked anything obvious?"

Nothing obvious AFAICS.

> I'm runnning httpd (firewalled off), sshd (not firewalled). If someone 
> were to insert a firewire PCMCIA card, and Mdk were to helpfully hotplug 
> it, could this be dangerous?

I'd suggest don't compile the firewire support in, or if you use a
prepackaged kernel, rm the module. I think its also possible to
configure hotplug to not allow loading certain modules.  

> I'm not quite sure I understand your point about firewire.

Its just that firewire devices can have access to all memory. Kernel
developers actually use this to debug the kernel. See also:

http://pacsec.jp/advisories.html

HTH,
DaCa.

-- 
Greetings from Oostende (BE) -*- Danny Cautaert (DaCa) 
Write me in Dutch, French or English * GnuPG preferred
Meet me at EuroBSDCon, 25-27 November 2005, Basel (CH)