How can I safely access "my" web services and accounts in a computer in which I do have sudo rights but the administrator(s) have, naturally, remote root access as well?
Details
I use a dekstop which is connected to a (large) closed/restricted LAN. Even log-in to the system is only successful if connected to the LAN.
The administrator has, of course, remote root access (which I will suggest to change and opt for a password-less ssh-key based authentication). As well, my userid is assigned to the sudoers group, ie, in the /etc/sudoers file, there is:
userid ALL=(ALL) NOPASSWD: ALL
I am hesitant to use my passwords for accessing my webmail client and my firefox account. And more.
Questions
-
What can I do to ensure that my passwords, to access external web services, are protected from anyone else than me?
-
For example, since I do have
sudorights, how can I ensure that no key loggers are running? -
I access password-less-ly based on SSH key(s) various services. How can I protect my passphrase from being logged?
-
Would 2FA be safe to access external services in such a use-case?
-
Is there a collection of "Safe practices using a Linux-based computer which others can access remotely as
root?"
Best Answer
You can't.
The root user has full access to the machine. This includes the possibility of running keyloggers, reading any file, causing the programs you run to do things without showing them in the user interface... Whether this is likely to happen depends on your environment so we can't tell you that. Even 2FA isn't safe because of the possibility of session hijacking.
In general, if you suspect a machine isn't safe, you shouldn't use it to access your services.