Heads up - Anaconda 22.17 will enforce 'good' passwords

Chris Murphy lists at colorremedies.com
Sat Jan 31 01:19:46 UTC 2015 

On Fri, Jan 30, 2015 at 3:03 PM, Adam Williamson
<adamwill at fedoraproject.org> wrote:
> On Fri, 2015-01-30 at 14:49 -0700, Chris Murphy wrote:
>>
>> I just don't see any consideration here except specious statements
>> like better security is always a plus. That was the summary extent
>> of the entire decision making process.
>
> Well, no, AFAICS there isn't anything like that. It was a fairly
> lightly considered change. The threat it's primarily addressing is
> that sshd with password login is enabled out of the box in at least
> some of the configurations anaconda deploys, and is therefore
> vulnerable to brute force attacks. Secondarily it's about local user
> accounts.

I'm amused because Fedora Server WG was so dead set against the
original change proposal, they were willing to consider overriding it
with a per-product config. I wonder if the Server SG would like to
consider a per-product config for stronger passwords to mitigate sshd
being enabled by default? Or reconsider it being enabled by default
seeing as it apparently comes with the baggage of collective
punishment.

What is this about local user accounts? Workstation doesn't put users
in wheel by default. OS X  and Windows both do and yet it allows any
password to be set.


> I think the main point is the one nirik made; I don't think the devs
> agree with your assessment of how significant this is.

I thought you wanted to wait for them to respond before assuming what
they think?

They didn't agree with my or other people's assessments with the last
password change in the installer, which likewise was considered a
light change by the devs, and was done without any meaningful
discussion. Calm inquiry and criticism was discarded, then as now. And
it took a devel@ shit show to get it reverted, that's how well they
anticipated that debacle.

Does anyone think Google, Microsoft, Apple, have not considered
mandatory strong passwords with their products? Why do you think they
haven't done it?

-- 
Chris Murphy

More information about the test mailing list