On Sat, Oct 08, 2016 at 02:29:20PM +0200, Kevin Kofler wrote: > Michael Catanzaro wrote: > > The status quo is that we are not in compliance with FESCo's policy > > [1], which clearly applies to all tools that change passwords and not > > just anaconda, but we can't change anything in GNOME until libpwquality > > stops blocking weak passwords via its PAM module, since we ultimately > > shell out to passwd to implement that (for auditability). > > The right fix there is to just remove the libpwquality PAM module by > default. Enabling such a thing should only be done by the local system > administrator. > > > But there is one more issue. FESCo's policy actually requires that only > > admin users (wheel users, including the initial user account) would be > > able to set weak passwords, and that unprivileged users should be > > blocked from doing so. > > And I agree with Chris Murphy that that policy is utter nonsense. > > Even if I want to set my password to the empty string, that is my choice. It > is a perfectly valid password for some use cases. (For what it's worth, I > actually use a non-empty password, but Anaconda considers even that "weak". > But I do not want to give more details here, and most definitely not the > password itself, for obvious reasons.) Yes. The hint that "this passphrase is weak" is very useful. But enforcing any policy is just too inflexible. I just tried to explain (unsuccessfully) to a kid (2nd grade, so any "strong" password would simply be immediately forgotten) why she cannot change the password in the gnome dialogue, and it was a total waste of time. (In addition, typing "password" in the gnome search box does *not* lead to something that allows you to change your password, one needs to search for "users" instead…, but that's another story. If somebody from the gnome team is listening, it would be great to tag "Users" with "password" too.) Zbyszek _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
