On a server I have a public key auth only for root account. Is there any point of logging in with a different account?

  • ShortN0te@lemmy.ml
    618·
    3 months ago

    The sudo password can be easily extracted by modifying the bashrc.

      • ShortN0te@lemmy.ml
        109·
        3 months ago

        The attacker that is currently with user privileges on the server?

        • Lemmchen@feddit.orgEnglish
          144·
          3 months ago

          How did the attacker gain your user’s privileges? Malware-infected user installation? A vulnerability in genuine software running as your user? In most scenarios these things only become worse when running as root instead.

          • ShortN0te@lemmy.ml
            148·
            3 months ago

            The scenario OC stated is that if the attacker has access to the user on the server then the attacker would still need the sudo password in order to get root privileges, contrary to direct root login where the attack has direct access to root privileges.

            So, now i am looking into this scenario where the attack is on the server with the user privileges: the attacker now modifies for example the bashrc to alias sudo to extract the password once the user runs sudo.

            So the sudo password does not have any meaningful protection, other then maybe adding a time variable which is when the user accesses the server and runs sudo

              • ShortN0te@lemmy.ml
                54·
                3 months ago

                And what do you suggest to use otherwise to maintain a server? I am not aware of a solution that would help here? As an attacker you could easily alias any command or even start a modified shell that logs ever keystroke and simulates the default bash/zsh or whatever.

              • JasonDJ@lemmy.zip
                44·
                3 months ago

                Nah just set up PAM to use TOTP or a third party MFA service to send a push to your phone for sudo privs.

                  • JasonDJ@lemmy.zip
                    44·
                    3 months ago

                    I…I don’t understand the question.

                    Also, yubikey or any other token. Plenty of MFA options compatible with sudo.

                  • 4am@lemm.ee
                    35·
                    3 months ago

                    Then you can’t gain root privileges on your server. Are you really arguing for less security because it’s inconvenient?

                    This is end-user behavior and it’s honestly embarrassing. You should realize your security posture is much more important than “I left my phone on the other room”

          • SavvyWolf@pawb.socialEnglish
            11·
            3 months ago

            I don’t think that actually works; the attacker could just remove .bashrc and create a new file with the same name.

            • 2ndSkin@sh.itjust.works
              62·
              3 months ago

              If the .bashrc is immutable, the attacker can’t remove it.
              That’s how it works.

              • SavvyWolf@pawb.socialEnglish
                22·
                3 months ago

                The home directory would need to be immutable, not bashrc.

                • 2ndSkin@sh.itjust.works
                  4·
                  3 months ago

                  ?

                  It’s .bashrc, not bashrc, and .bashrc is in the home directory.
                  If .bashrc is immutable, it can’t be removed from home.

                  • SavvyWolf@pawb.socialEnglish
                    1·
                    3 months ago

                    It’s the directory that needs to be writable to delete files, not the file itself.

                    Although the immutable bit (if that’s what you’re talking about - I thought you meant unsetting the write bit) might change that, I’m not sure.

            • WheelchairArtist@lemmy.worldBanned
              21·
              3 months ago

              you’re right. that’s something i wanted to look into. guess setfacl would do the trick?

    • markstos@lemmy.world
      4·
      3 months ago

      This was downvoted, but is a good question.

      If your account is compromised, the shell init code could be modified to install a keylogger to discover the root password. That’s correct.

      Still, that capture doesn’t happen instantly. On a personal server, it could be months until the owner logs in next. On a corporate machines, there may be daily scans for signs of intrusion, malware, etc. Either way, the attacker has been slowed down and there is a chance they won’t succeed in a timeframe that’s useful to them.

      It’s perhaps like a locking a bike: with right tool and enough time, a thief can steal the bike. Sometimes slowing them down sufficiently is enough to win.