Summary of password strength discussion
Matthew Miller
mattdm at fedoraproject.org
Tue Jul 28 17:09:11 UTC 2015
On Tue, Jul 28, 2015 at 10:52:02AM -0600, Chris Murphy wrote:
> > Oh! An alternative which avoids any file parsing or writing: add an
> > "ssh-access" or similar group, configure default sshd_config with
> > "AllowGroups ssh-access". (Could be a Workstation-only sshd_config.)
> Maybe. Elsewhere I read that AllowUsers overrides AllowGroups. So as
> soon as you have AllowUsers chris, it basically ignores AllowGroups
> and only allows chris. But that's goofy if true.
I think both goofy and true, but also not necessarily a problem - in
fact, maybe actually it's exactly what we want, since it's a sort of
"fail-secure" - it means that if someone wants to restrict to just
certain users manually, they won't be surprised by AllowGroups
overriding it. (I guess the remote-login switch code could _warn_ if
this is detected in an existing config file. Or even just warn if the
config file is not default.)
> But my gut instinct is that sharing services UI should only be about
> configuring those services. Whether I want them available or not on
> certain networks is a function of my relative trust of the network I'm
> connected to, and hence that's a heuristically automagically managed
> firewalld thing. So I'd actually pull out the Networks UI out of each
> of these rather than add it to Remote Login. I don't want to see such
> configuration choices in two UIs.
The Workstation WG people here seem to prefer the other way - this over
configuring the relative trust per-network. Someone correct me if I'm
wrong. :)
--
Matthew Miller
<mattdm at fedoraproject.org>
Fedora Project Leader
More information about the desktop
mailing list