On Mon, Feb 16, 2015 at 9:18 AM, Miloslav Trmač <mitr@xxxxxxxxxx> wrote: > All of these attempts to change the policy, and individual one-line patches, show there is a fairly high perceived need to do “something”; our default setup just isn’t so good that we can confidently leave it unchanged. > > And, we actually _could_ improve both the security and usability of the system, with some work. > > > We could detect whether a system being installed is a VM. (And someone smarter than me could maybe figure out a way to test whether a VM is behind local NAT, i.e. a personal or testing machine, or bridged to a larger network.) > > We could disable ssh on interactive installations (if you are installing interactively you will also run firstboot interactively and can log in interactively and enable ssh interactively) and enable it on kickstart installations (while still having interactive installations record a kickstart that disables ssh). > > We could figure out a reasonable rate limiting policy for ssh, and depend on it to allow weaker passwords. > > Ultimately, we could fix the LUKS/system login dual password situation. > > And I’m sure there are many other possible improvements. > > > All of this just takes a willingness to look at a dozen components at a time instead of at a single one, and a willingness to write patches that sum up to thousand lines instead of a single five-line patch. Now only if there were anyone able and willing to take this on; I will ask around but so far I don’t know of anyone with too much free time on their hands. This is exactly the more important issue that the password change distracts from. And my objection is, this state of affair hasn't been presented to the wider community along with the commensurate request for a change in password policy as a necessary consequence. In the meantime, there's this distracting resistance to the pw quality change. Workstation WG has expressed a desire to opt out of this change. And before the change was announced, in a recent Server SIG meeting one person suggested longer passwords might be acceptable but not more complex ones. Therefore it's plausible two product WG's will express dislike for the change and may even opt out of it. And then what? What's next? Assuming admonishing and coercing is ever OK, I'd sooner do it in favor of cooperation and cohesiveness in Fedora as an OS, rather than against a scant number of stubborn users who can't take a hint (literally) about their password quality. The former is a boulder, the latter is a pebble, but moving that boulder is the real deal by which eventually we could move mountains. Moving a pebble? It's a aggravation for essentially zero gain. I think it's silly (and annoying). -- Chris Murphy -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
