Summary of password strength discussion

Michael Stahl mstahl at
Fri Jul 24 10:45:53 UTC 2015

On 23.07.2015 18:55, Michael Catanzaro wrote:
> 4) Our requirements for local password strength will allow passwords
> that would be much too weak were remote access via SSH to be enabled.
> We should have some user interaction when enabling SSH in the Sharing
> panel to force the user to pick a much stronger password.

> Point (4) above sets the goal of setting stricter password requirements
> when remote access is enabled. Remote access is disabled by default and
> will remain disabled forever for most Workstation users, so it's not
> appropriate for that case to dictate our default password requirements.

i've never understood why the sshd_config by default allows password
auth; first thing i do when installing SSH is to configure it to only
allow public keys.

that would avoid the password strength problem too, since you can set a
different and better password on the private key.

would it be reasonable to expect the sort of user that wants to use SSH
to be able to set that up?  maybe provide some GNOME UI to generate a
key and copy it to .ssh/authorized_keys?

More information about the desktop mailing list