Proposal for action: SSH Key, User Cert and Password Flag Day
Stephen John Smoogen
smooge at gmail.com
Mon Sep 12 22:35:49 UTC 2011
On Mon, Sep 12, 2011 at 10:49, seth vidal <skvidal at fedoraproject.org> wrote:
> On Mon, 2011-09-12 at 10:40 -0600, Kevin Fenzi wrote:
>
>> Some random thoughts/considerations:
>>
>> * We could also change fas password requirements at this time.
>> We have: https://fedorahosted.org/fedora-infrastructure/ticket/2804
>> where we agreed with:
>>
>> - Nine or more characters with lower and upper case letters, digits and
>> punctuation marks.
>>
>> - Ten or more characters with lower and upper case letters and digits.
>>
>> - Twelve or more characters with lower case letters and digits.
>
> So - I am sure I'm not the only one who does this - but how about
> mandating pass PHRASES and make the minimum length be 40 characters?
>
> Mary_had_a_little_lamb_whose_fleece_was_white_as_snow would work just
> fine and should be substantially harder to crack :)
> (/me is all about making friends today, apparently)
My only issue with that is making sure that the hashing method allows
for it. Finding out that it stops at 16 characters for some reason
means a lot of wasted typing. In the end, I would say that having to
type in 40 characters every time my window times out on Fedora
Community or admin would make me grumpy after the 4th login in a day.
>
>
>> * Users who fail to meet the deadline would be marked 'inactive' ? What
>> would they need to do to re-activate? Just login and upload a new
>> key/change password?
>
> well "login" might be hard. I suspect we just nuke their ssh keys so
> they cannot login to any shell w/o first getting into the fas.
Agreed.
--
Stephen J Smoogen.
"The core skill of innovators is error recovery, not failure avoidance."
Randy Nelson, President of Pixar University.
"Let us be kind, one to another, for most of us are fighting a hard
battle." -- Ian MacLaren
More information about the infrastructure
mailing list