Re: Fedora 32 System-Wide Change proposal: Disallow Empty Password By Default

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thursday, December 5, 2019 5:41:44 AM MST Nico Kadel-Garcia wrote:
> If someone wants to spend that much of their resources on homedir
> security, they need to decide whether they want SSH key based access.
> That is manageable by configuring SSH to store SSH public keys in an
> alternate location and inform the users of the modified sshd_config
> and its modified, accessible "AuthorizedKeysFile" setting. Or the user
> can spend the time and effort to activate Kerberos based logins, or
> use password based logins. I'd avoid trying to rewrite SSH for such an
> OS-specific and non-portable need as homedir decryption mounting.

Please don't recommend to anyone to use passwords for SSH. That is incredibly 
insecure, and if privileged users are using password-based SSH, that'll 
quickly lead to a serious compromise of your entire system, depending on the 
complexity of the password, of course, but still holds nothing to key-based 
authentication with the best password.

> In common usage, very few people encrypt their home directories
> separately from their basic disk image. It makes system management for
> administrators or even a local root user very awkward. I could see it
> for home directories in "/home", and it would only cost SSH key based
> access, not ordinary password or Kerberos ticket based login. But it
> sounds quite risky and destabilizing, much as the "kill dangling
> processes when people log out". That  caused a lot of shock when it
> was activated by default and started killing processes with no
> logging. Let's not repeat a surprise like that and avoid killing SSH
> key access by default.

A bit off topic, but where is "kill danging processes when people log out" 
set? I've not experienced that anywhere.

-- 
John M. Harris, Jr.
Splentity

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux