On Fri, 2015-03-06 at 19:35 -0500, Miloslav Trmač wrote: > There is another very important case where this falls down: the computer is enrolled into AD/IPA and the password is used throughout the organization. Just looking at a local machine does not necessarily tell you what the needed password strength is. > > This is of course not an argument in favor of making the policy stricter, but it does mean that _every_ way to change the password should respect the system-wide libpwsafe configuration. If the site administrator, along with enrolling into IPA/AD, sets up libpwquality to set up password strength restriction they deem appropriate, _all_ of Workstation should enforce these restrictions. Now perhaps the right default is to _have_ no restrictions but they need to be enforced the moment someone sets them up. I doubt anyone will argue against this. :) > Um, “we can’t do $this so we need to leave other parts of the system insecure” is really not sound logic. At the very least we have the option of giving up on VNC instead. And I don’t really see why it would be impossible to add a password strength check for VNC at all; in the worst case we could just store the libpwquality score when the password is set / changed somewhere, and use this stored score to decide whether to warn the user before enabling VNC (storing the scores like this, and telling the attacker which accounts are weak, would be bad on multi-user desktops, but those are rare nowadays and the admin wouldn’t want individual users to go enabling services on such machines anyway). What am I missing? Eh, well by my logic they are both so closely-related that it's nonsense to treat them differently... but that comment was more a wishful "somebody please fix VNC or rewrite history" than anything. I have no clue why VNC passwords are limited/truncated to eight characters, but it seems like that limitation makes the protocol not worth supporting at all, let alone worth promoting in System Settings. I wonder how well FreeRDP is coming along.... -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
