Re: Heads up - Anaconda 22.17 will enforce 'good' passwords

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 2015-01-31 at 21:21 -0500, Richard Ryniker wrote:
> Recapitiulation:
> 
> A security problem was recognized because the ssh daemon is enabled 
> by default on Fedora systems:  with a weak root password, a remote 
> attacker might easily obtain unlimited access.

This is not quite correct; it should say 'some Fedora systems'.

> The direct solution would seem to be a change to the ssh daemon to 
> prohibit root login in its default configuration, but allow post-
> installation change to sshd to permit this where it is desirable.

The reason we didn't do this - which was the initial Change proposal - 
is that we don't have a solid mechanism for deploying any *other* ssh 
authentication mechanism (i.e. a gpg key) at install time. The 'ssh up 
with password login enabled' configuration exists because _people use 
it_ - they deploy systems in remote locations which they then need to 
log in to, and 'ssh to it with a password' is really the only way we 
offer to do this OOTB (unless you have AD/FreeIPA management set up).


> Ultimately, this indirect solution is weak.  Users are likely to 
> supply an acceptable root password during installation, then change 
> it to what they desire after installation.

Well, that's a possibility, but I don't think I've seen any evidence 
of it (as cmurf has pointed out we also have no data about the 
prevalence of weak passwords or attacks on default-configured Fedora 
systems, though).
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net
http://www.happyassassin.net

-- 
test mailing list
test@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe:
https://admin.fedoraproject.org/mailman/listinfo/test





[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Photo Sharing]     [Yosemite Forum]     [KDE Users]

  Powered by Linux