Summary of password strength discussion

Chris Murphy lists at colorremedies.com
Tue Jul 28 16:52:02 UTC 2015 

On Tue, Jul 28, 2015 at 9:43 AM, Matthew Miller
<mattdm at fedoraproject.org> wrote:
> On Mon, Jul 27, 2015 at 08:07:32PM -0600, Chris Murphy wrote:
>> >> Not the user, the GUI asks a service to do the editing COW style -
>> >> write out a .new and once that succeeds, then rename current to old
>> >> and new to current.
>> > Yes, I assumed that. What if there is an existing configuration?
>> It would always use /etc/ssh/sshd_config whether it's the default
>> installed, or a user modified one. The GUI Remote Login toggle would
>> toggle both sshd.service stop/start/enable/disable states, and
>> AllowUsers list. So something has to be able to parse this file.
>
> I guess the main complication is making sure that AllowUsers occurs
> before any Match blocks. And avoiding any AllowGroups/DenyGroups
> complication.
>
> Oh! An alternative which avoids any file parsing or writing: add an
> "ssh-access" or similar group, configure default sshd_config with
> "AllowGroups ssh-access". (Could be a Workstation-only sshd_config.)

Maybe. Elsewhere I read that AllowUsers overrides AllowGroups. So as
soon as you have AllowUsers chris, it basically ignores AllowGroups
and only allows chris. But that's goofy if true.


> On another note, I see that _all_ of the other sharing options are
> actually _per network_. Maybe the "remote login" option should be the
> same?

Funny enough, I can't turn any of these services on, except Remote
Login. The upper left slider in Personal File Sharing, Screen
Sharing, and Media Sharing are all set to Off, grayed out, and can't
be flipped to On. So I can't really explore the Networks interface in
each of these.

But my gut instinct is that sharing services UI should only be about
configuring those services. Whether I want them available or not on
certain networks is a function of my relative trust of the network I'm
connected to, and hence that's a heuristically automagically managed
firewalld thing. So I'd actually pull out the Networks UI out of each
of these rather than add it to Remote Login. I don't want to see such
configuration choices in two UIs.


-- 
Chris Murphy

More information about the desktop mailing list