From owner-freebsd-questions@FreeBSD.ORG Tue Mar 3 13:16:42 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7032F9D7 for ; Tue, 3 Mar 2015 13:16:42 +0000 (UTC) Received: from mx01.qsc.de (mx01.qsc.de [213.148.129.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2DDF8979 for ; Tue, 3 Mar 2015 13:16:41 +0000 (UTC) Received: from r56.edvax.de (port-92-195-131-196.dynamic.qsc.de [92.195.131.196]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx01.qsc.de (Postfix) with ESMTPS id 0FF213CDD1; Tue, 3 Mar 2015 14:16:33 +0100 (CET) Received: from r56.edvax.de (localhost [127.0.0.1]) by r56.edvax.de (8.14.5/8.14.5) with SMTP id t23DGXM0002777; Tue, 3 Mar 2015 14:16:33 +0100 (CET) (envelope-from freebsd@edvax.de) Date: Tue, 3 Mar 2015 14:16:33 +0100 From: Polytropon To: Arthur Chance Subject: Re: Check root password changes done via single user mode Message-Id: <20150303141633.c38bdc7b.freebsd@edvax.de> In-Reply-To: <54F5AF25.7000303@qeng-ho.org> References: <54F56A83.3000404@gmail.com> <54F57CD9.2000707@gmail.com> <54F5AF25.7000303@qeng-ho.org> Reply-To: Polytropon Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: fluxwatcher@gmail.com, freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Mar 2015 13:16:42 -0000 On Tue, 03 Mar 2015 12:55:01 +0000, Arthur Chance wrote: > As Bruce Schneier says, there's no such thing as perfect security, it > all depends on what costs (in money, time, or effort) attacker and > defender are prepared to pay. Also consider non-OS security in this context: A CCTV camera monitoring the console, or a hardware keylogger that can be examined for SUM logins and "passwd" command calls. This is relatively easy with physical servers, but those which are being accessed via network (and with some management solution that let's you, for example, access the serial console via IP) could benefit from a mechanism examining the network traffic; but as soon as you have end-to-end encryption in such a setup, it won't work... except it's weak crypto and you have the sufficient means... FreeBSD can only offer a specific subset of solutions "out of the box", and a versatile attacker will always find a way to avoid those obstacles. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...