-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/06/2013 09:08 AM, Tomas Mraz wrote: > On Fri, 2013-09-06 at 09:04 -0400, Matthew Miller wrote: >> The cracklib dicts in Fedora is 8.3M. (I'm sure some of this is my fault, >> as I've added to it over the years.) The cracklib pam module supports a >> compressed dictionary, but apparently it has a serious performance >> impact (https://bugzilla.redhat.com/show_bug.cgi?id=1004896). >> >> Meanwhile, in many systems today, local passwords are entirely unused. >> Authentication is done via keys or by kerberos. >> >> At the same time, we have an increased need for smaller systems. That >> 8MB starts to be a meaningful fraction of a container or an ultra-small >> cloud image. >> >> I do recognize the value of protecting against dictionary-based attacks >> when passwords are used. Maybe we could have a policy which requires >> _longer_ passwords but uses a much smaller dictionary? > > The other option would be to fix the gzip support in cracklib to cache the > unpacked data somehow. However that would require to keep the unpacked > dictionary in RAM when cracklib is loaded, which is suboptimal as well. Or > we could make the cracklib-dicts optional somehow so it is possible to > install an ultra small cloud image without the dictionary at all - I expect > ultra small cloud image not needing password quality checking at all. > Could anaconda decompress the file to another location to fix their problem. Then we ship it compressed? I am willing to wait an extra 10 seconds while changing my password which I do very seldom. Maybe have the library look for a decompressed file first and fail over the the compressed one. Then admins could decompress it if they see this as a problem. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlIp1fgACgkQrlYvE4MpobONMQCdESTx4Yh13iMjJrtkjobelicw DMAAoKw+nlaJQ7VrTxQRg64nIMjabqq+ =BZkE -----END PGP SIGNATURE----- -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
