On Tuesday, 13 January 2015 1:10 AM, Stephen John Smoogen wrote: >Sorry if I am misunderstanding but the feature is to address brute >forcing the root account so that they do not get root access to the server. Right. >I am saying that this isn't a speed-bump because they are already trying >to brute force all the accounts on the system and so if they get one, >they will become root as they already have the password for the account. >Thus I do not see how it solves the first problem. Well, it prevents the direct brute-forcing of root accounts. The feature does not address brute forcing of the non-root accounts and its further implications. Secondly, usage of ssh keys for remote 'root' access, with 'PermitRootLogin=without-password' would provide better returns in the long term. >I do not disagree. I just think that the sophistication of the malware >robots is high enough that saying the above does not help hardening >without further changes. [Adding a password creation tool to anaconda >and gnome-first-boot to help people create 'stronger' passwords would >seem to do more in hardening.] They already have that, no? When you set password, it shows a bar meant to indicate password strength, IIRC. --- Regards -Prasad http://feedmug.com -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
