On Fri, Jul 24, 2015 at 11:30 AM, Matthew Miller <mattdm@xxxxxxxxxxxxxxxxx> wrote: > On Fri, Jul 24, 2015 at 10:48:14AM -0600, Chris Murphy wrote: >> > Still a little esoteric, but provisioning is easier, and people are >> > getting more used to it in general, hopefully. And as a bonus, this >> > jumps us up to level 3 identity assurance, I believe. >> OK, but still not by default. Not everyone has a smart phone. And mine >> runs into this FreeOTP bug: >> https://fedorahosted.org/freeotp/ticket/52 >> This stuff has to be opt in, not opt out. > > Well, turning on ssh access into the system is puts us into advanced > territory already, doesn't it? And doing _that_ is opt-in. If it's advanced, then why is there this mysterious problem that Fedora users are a.) using crap passwords and b.) brow beating them won't work because they're notoriously stubborn and don't take advice? I just don't understand the rationalization, it's almost like doing this for the sake of doing it. All other problems have been solved now we need to make bacon with a Rube Goldberg contraption! Who else has done this? Obviously Apple, with deific amounts of resources, doesn't give two shits and a fuck about an *admin* user setting their password to cat with ssh being enabled. If they don't care, why do we? And where does the authority come from to usurp control over the user's freedom to fuck up, be stubborn, and have asinine passwords? I just... what? This is not low hanging fruit. It's low hanging tree limbs and eating leaves. It's like watching Charlie the Unicorn Goes to Candy Mountain. I'm just left with a "HUH?" OK so you're suggesting this only get provisioned with MFA if the user enables SSH in the GNOME GUI? If it's enabled via systemctl then it's just password only, and no MFA? Because if MFA is required then there needs to be a text fall back provisioning. Every release cycle I'm logging in remotely to grab logs because one or another system has a video regression. And this release cycle I'm expecting more because Wayland. -- Chris Murphy -- desktop mailing list desktop@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/desktop
