Summary of password strength discussion

Matthew Miller mattdm at
Tue Jul 28 15:43:08 UTC 2015

On Mon, Jul 27, 2015 at 08:07:32PM -0600, Chris Murphy wrote:
> >> Not the user, the GUI asks a service to do the editing COW style -
> >> write out a .new and once that succeeds, then rename current to old
> >> and new to current.
> > Yes, I assumed that. What if there is an existing configuration?
> It would always use /etc/ssh/sshd_config whether it's the default
> installed, or a user modified one. The GUI Remote Login toggle would
> toggle both sshd.service stop/start/enable/disable states, and
> AllowUsers list. So something has to be able to parse this file.

I guess the main complication is making sure that AllowUsers occurs
before any Match blocks. And avoiding any AllowGroups/DenyGroups

Oh! An alternative which avoids any file parsing or writing: add an
"ssh-access" or similar group, configure default sshd_config with
"AllowGroups ssh-access". (Could be a Workstation-only sshd_config.)

On another note, I see that _all_ of the other sharing options are
actually _per network_. Maybe the "remote login" option should be the

> Maybe PAM can be leveraged for this, since sshd_config defers to PAM
> already for authentication. So sshd could just ask PAM rather than
> modifying sshd_config directly.

Hmmm, maybe.

Matthew Miller
<mattdm at>
Fedora Project Leader

More information about the desktop mailing list