Hello!
I am interested in different ways to secure Linux machines (enterprise, banking ... grade). How secure gets a system when using the method described in the title? Does it really make sense in a network context?
Thank you!

Depends exactly what scenario you have in mind, but there are 3 classes of auth:

1. something you know: username, password, ...
2. something you have: usb key, RSA token, OTP, ...
3. something you are ie biometrics

None of that stops you downloading malware once you've logged in though ...

Thank you for the reply.
How difficult it gets to crack a system which requires a password and a token in order to authenticate? I am talking about network and/or local cracking. What are the best methods to secure a system?

Well, there are tons of resources on the web about security, and see the Stickies here, but in short:

1. local; all bets are off if they have physical access, unless you have encrypted your files properly....

2. remote: well, you would need to use a secure cxn eg ssh, vpn etc.
again, the quality of the encryption is vital, as are not using easy passwds.

You should read up on ssh, vpn, pam, ssl, OTP, etc etc.
General answers are tricky; specific problems are easier (sort of) to answer.

1 members found this post helpful.

Got it! Thank you!

Here's a short-answer: this is a problem that has already been solved. LDAP (a.k.a. OpenDirectory) and Kerberos are two typical methods that are used on an enterprise level. Their security characteristics are well-known, as are their centralized system management tools. You can now "log in" (authenticate...) to any computer that you are authorized to use, and to access any internal web-site or application or what-have-you that you are authorized to use. The processes of both authentication and authorization are done one way no matter who's doing it, and they're controlled in one way no matter what type of system is referring to it. Logging and auditing are also handled in a known and consistent way.

Both the design and the implementation were done openly, and by qualified experts in the field. Their work has been peer-reviewed and studied for years since; and it's still going on. You don't need to understand how the vehicle works in order to climb aboard.

If you've got 3,500+ users who need to hit 960 servers ... as one client of mine does ... believe me, that's a big deal.

You don't want to "roll your own solution" when there is any security infrastructure available that you can hop-a-ride with instead.

1 members found this post helpful.