Create a rescue user?

Dams · November 6, 2020, 8:22pm

Hello,

I’m using long and complex passwords generated by KeePass. Those passwords are relatively secured. So far so good.

A few days ago - after a power failure - I could no more reach my server using ssh. I had to connect a keyboard and an screen :

the default keyboard is English, my physical keyboard is French
the password length is over 20 characters
there is a timeout for entering a password

So here is my question. Does it makes sens to create a rescue user ?

It would be a basic Linux. I could use it to login with a keyboard, then I could sudo rescue commands.

no access to Yunohost apps
no ssh access
less complex password

Is there also a timeout for sudo ?
The risk with an easier password seems limited to me as the user has no remote access and I trust who is physically in my house (anyway one could steal the disk).
Is it better just to change the timeout at logon ?

What do you think ?

Aleks · November 6, 2020, 11:56pm

If your password is so hard to type that you’re starting to wonder about creating another user such that it’s easier for you to get into your own machine, maybe you shouldn’t be so crazy about password length.

There are many things to say about password security (and security in general) but my point of view is : beyond 15~20 chars, adding more chars give you an illusory sense of security. “Real” security improvements may be improved by : studying and reducing the attack surface, having 2FA and/or using asymetric keys, not installing apps that you don’t need or that are known to have security issues, implementing fail2ban for all possible authentication interfaces, keeping your server up to date, etc. Switching from a 15-char password to 128-char password is just bullshit (apart from using a pass phrase for the sake of keeping it easy to remember). Nobody gets into a server just by brute-forcing a 15+ char password.

Great, but if you really care that much about security, consider that it’s not the only way an attacker can ‘attack’ this user. Vulnerabilities may exist in various apps (or other things, for example SMTP, XMPP, …) that may allow to enter your server via this user.