So, probably some of you, at least, follow Fedora, perhaps in part to see what new desktop user oriented decision will make it into the next version of RHEL/CentOS.
You may have noticed how if Fedora, by some odd scheme, deems your password unworthy, you have to click Done two times.
So, the latest Ananconda takes this one step further. Passwords that the system considers weak will no longer be allowed. While this will probably only be a minor inconvenience, (add 3 bangs to the end or something equally meaningless), a few on the fedora-testing list, including myself, think it's just one more solution seeking a problem.
At present, I don't know where one can lodge a protest. Hopefully, someone will care enough to file a bugzilla RFE.
Others may think it's a great idea--at last, users can't install with a password of 1234.
Anyway, as part of their push for it is that no one minds it, thought I'd mention it here, as many of the desktop oriented decisions get into Fedora, then into RH and it's already too late.
On Fri, 30 Jan 2015 16:13:17 -0500 Scott Robbins wrote:
You may have noticed how if Fedora, by some odd scheme, deems your password unworthy, you have to click Done two times.
Centos 7 does that as well.
On Fri, Jan 30, 2015 at 03:39:47PM -0600, Frank Cox wrote:
On Fri, 30 Jan 2015 16:13:17 -0500 Scott Robbins wrote:
You may have noticed how if Fedora, by some odd scheme, deems your password unworthy, you have to click Done two times.
Centos 7 does that as well.
Heh, I guess I've used good passwords in my installs then.
On Fri, Jan 30, 2015 at 2:04 PM, Scott Robbins scottro@nyc.rr.com wrote:
On Fri, Jan 30, 2015 at 03:39:47PM -0600, Frank Cox wrote:
On Fri, 30 Jan 2015 16:13:17 -0500 Scott Robbins wrote:
You may have noticed how if Fedora, by some odd scheme, deems your password unworthy, you have to click Done two times.
Centos 7 does that as well.
Heh, I guess I've used good passwords in my installs then.
I have to tap it twice all the time. But don't tell this to anyone! ;-)
Akemi
On Fri, 30 Jan 2015 14:15:05 -0800 Akemi Yagi amyagi@gmail.com wrote:
On Fri, Jan 30, 2015 at 2:04 PM, Scott Robbins scottro@nyc.rr.com wrote:
On Fri, Jan 30, 2015 at 03:39:47PM -0600, Frank Cox wrote:
On Fri, 30 Jan 2015 16:13:17 -0500 Scott Robbins wrote:
You may have noticed how if Fedora, by some odd scheme, deems your password unworthy, you have to click Done two times.
Centos 7 does that as well.
Heh, I guess I've used good passwords in my installs then.
I have to tap it twice all the time. But don't tell this to anyone! ;-)
OP's point is that probably in RHEL8 you won't be able to do even that anymore. While I personally think this is a good idea, this has some potential to maybe cause trouble or inconvenience down the line, with regards to automated installs, broken kickstart scripts, various company policies regarding the root password, etc. I guess there are sensitive scenarios out there.
So if any CentOS user think they can be hurt by this change, they should do something about it now, rather than bitch about compatibility breakage when RHEL8 comes out in a couple of years. :-)
HTH, :-) Marko
On Fri, Jan 30, 2015 at 11:27:55PM +0000, Marko Vojinovic wrote:
On Fri, 30 Jan 2015 14:15:05 -0800 Akemi Yagi amyagi@gmail.com wrote:
On Fri, Jan 30, 2015 at 2:04 PM, Scott Robbins scottro@nyc.rr.com wrote:
Centos 7 does that as well.
Heh, I guess I've used good passwords in my installs then.
I have to tap it twice all the time. But don't tell this to anyone! ;-)
OP's point is that probably in RHEL8 you won't be able to do even that anymore.
Exactly. There is some complaining going on on the Fedora testing list, not sure where else one can protest.
On Fri, Jan 30, 2015 at 4:09 PM, Scott Robbins scottro@nyc.rr.com wrote:
There is some complaining going on on the Fedora testing list, not sure where else one can protest.
The thread starts here: https://lists.fedoraproject.org/pipermail/test/2015-January/124827.html
----- Oorspronkelijk bericht ----- Van: "PatrickD Garvey" patrickdgarveyt@gmail.com Aan: "CentOS mailing list" centos@centos.org Verzonden: Zaterdag 31 januari 2015 02:21:28 Onderwerp: Re: [CentOS] Another Fedora decision
On Fri, Jan 30, 2015 at 4:09 PM, Scott Robbins scottro@nyc.rr.com wrote:
There is some complaining going on on the Fedora testing list, not sure where else one can protest.
The thread starts here: https://lists.fedoraproject.org/pipermail/test/2015-January/124827.html _______________________________________________ CentOS mailing list CentOS@centos.org
tp://lists.centos.org/mailman/listinfo/centos
Hello All,
isn't there the option in Centos7 to create user without password? Is this also for reasons of kickstart or such as well?
I had an unpleasant conversation with my brother-in-law at Christmas dinner last year. I am a sysadmin who "encourages" his users to have good password behavior. He is a Java developer who is encouraged by his sysadmin, and he doesn't like it.
His point in short: passwords are not all that important any more. All virus spreading and hacking these days is done by sending malicous mails and by visiting malicious sites.
Greetings, Johan
Hi Johan,
His point in short: passwords are not all that important any more. All virus spreading and hacking these days is done by sending malicous mails and by visiting malicious sites.
<polemical-mode>If your brother in law doesn't see that the virus argument doesn't apply to the question of whether or not to choose strong passwords maybe he shouldn't be a software developer in the first place.</polemical-mode>
Strong passwords don't protect against viruses, phishing etc. pp., that is true. But having weak passwords opens a plethora of other attack vectors beside that, and as for instance the iTunes hack shows there *are* real-world scenarios where passwords are attacked successfully. Just put an ssh server on a public IP and wait for a day, and you'll see how many.
Regarding the original issue, I don't see where requiring users to enter strong(ish) passwords in the GUI installer at installation time could do any harm except a minor inconvenience for some people. Kickstart is not affected, so automated installs won't break, and on the other hand the use of weak passwords may be reduced a bit by the change. I'm all for it.
Cheers,
Peter.
On Sat, January 31, 2015 4:19 am, johan.vermeulen7@telenet.be wrote:
----- Oorspronkelijk bericht ----- Van: "PatrickD Garvey" patrickdgarveyt@gmail.com Aan: "CentOS mailing list" centos@centos.org Verzonden: Zaterdag 31 januari 2015 02:21:28 Onderwerp: Re: [CentOS] Another Fedora decision
On Fri, Jan 30, 2015 at 4:09 PM, Scott Robbins scottro@nyc.rr.com wrote:
There is some complaining going on on the Fedora testing list, not sure where else one can protest.
The thread starts here: https://lists.fedoraproject.org/pipermail/test/2015-January/124827.html _______________________________________________ CentOS mailing list CentOS@centos.org
tp://lists.centos.org/mailman/listinfo/centos
Hello All,
isn't there the option in Centos7 to create user without password? Is this also for reasons of kickstart or such as well?
I had an unpleasant conversation with my brother-in-law at Christmas dinner last year. I am a sysadmin who "encourages" his users to have good password behavior. He is a Java developer who is encouraged by his sysadmin, and he doesn't like it.
His point in short: passwords are not all that important any more. All virus spreading and hacking these days is done by sending malicous mails and by visiting malicious sites.
Java developer, huh. Be it me I would definitely mention that java related stuff adds its very noticeable share to compromises. From sysadmin point of view java is a disaster: mostly you are executing someone's else code (java applet from remote ...) on your own machine. Of course, I know my opinion is highly amplified by my not getting along with java language as opposed to multitude of other languages I get along with. Tell him to look some time into ssh log and count unsuccessful connection attempts. And I'm sure analogy like not locking your apartment door just because your building door is locked, or better though because on local radio they announced no thieves are roaming in your town - is kind of weak reason. Even java developer brain should grasp it (no, it was intended as a joke, not as offense. I do use and admire brilliant software written in java! And I'm grateful to brilliant java programmers written software I can not write!)
Going back to password discussion. Interestingly, I never was bugged by installer for using weak password (which I don't). Still, I consider it counter productive to force any requirements onto people who do not care about the original goal of them (security in this case). I remember in the past some sysadmin discussion about forcing your users to use very sophisticated passwords (passphrases we will be saying these days) and even worse: forcing them to change passwords often. Basically, the most sane view (IMHO) is: person's ability to memorize and type password is most important. And users will change password promptly when there is reason to suspect the password was compromised - users are much more cooperative if you don't put on them unnecessary burden. If you do sysadmin job well it will be remote compromises that you will deal with (when user's password got stolen elsewhere, say when user logged into your server from compromised machine). Thus running multi-user machine under assumption bad guys are already in is right attitude. Keep the machine local exploit free. Have good backup (so you can restore files of unlucky user if his/her files are obliterated by intruder). And watch what is happening on the machine.
Do I advocate for weak passwords? No, by no means. However, it is really unreasonable to think that you can make system such that it will force people not do stupid things (use bad passwords). So, I for one do like what passwd command does now: it warns one that the password is weak when typed first time, and accepts that weak password if one insists and types it second time. Person willing to do bad thing will find the way around any protection to do it, yet even worse way.
Just my $0.02
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On 01/30/2015 06:09 PM, Scott Robbins wrote:
On Fri, Jan 30, 2015 at 11:27:55PM +0000, Marko Vojinovic wrote:
On Fri, 30 Jan 2015 14:15:05 -0800 Akemi Yagi amyagi@gmail.com wrote:
On Fri, Jan 30, 2015 at 2:04 PM, Scott Robbins scottro@nyc.rr.com wrote:
Centos 7 does that as well.
Heh, I guess I've used good passwords in my installs then.
I have to tap it twice all the time. But don't tell this to anyone! ;-)
OP's point is that probably in RHEL8 you won't be able to do even that anymore.
Exactly. There is some complaining going on on the Fedora testing list, not sure where else one can protest.
Well, protesting here would be meaningless .. as is protesting systemd here. CentOS-8 will have whatever is in the RHEL-8 source code, exactly as it is in that source code minus branding. Just like CentOS-2.1, 3, 4, 5, and 6. Our goal is to rebuild the source code exactly, bugs and all. We want all the behaviors and the experience to be identical in every way.
If you want to effect change before it gets in RHEL, then Fedora is the place. If you want to get it changed in CentOS, then buy RHEL and providing feedback there is the way. We are, by design, exactly as Red Hat pushes the RHEL source code.
On Sat, January 31, 2015 4:14 am, Johnny Hughes wrote:
On 01/30/2015 06:09 PM, Scott Robbins wrote:
On Fri, Jan 30, 2015 at 11:27:55PM +0000, Marko Vojinovic wrote:
On Fri, 30 Jan 2015 14:15:05 -0800 Akemi Yagi amyagi@gmail.com wrote:
On Fri, Jan 30, 2015 at 2:04 PM, Scott Robbins scottro@nyc.rr.com wrote:
Centos 7 does that as well.
Heh, I guess I've used good passwords in my installs then.
I have to tap it twice all the time. But don't tell this to anyone! ;-)
OP's point is that probably in RHEL8 you won't be able to do even that anymore.
Exactly. There is some complaining going on on the Fedora testing list, not sure where else one can protest.
Well, protesting here would be meaningless .. as is protesting systemd here. CentOS-8 will have whatever is in the RHEL-8 source code, exactly as it is in that source code minus branding. Just like CentOS-2.1, 3, 4, 5, and 6. Our goal is to rebuild the source code exactly, bugs and all. We want all the behaviors and the experience to be identical in every way.
If you want to effect change before it gets in RHEL, then Fedora is the place. If you want to get it changed in CentOS, then buy RHEL and providing feedback there is the way. We are, by design, exactly as Red Hat pushes the RHEL source code.
No, this is great. We do like CentOS for what it exactly is: binary replica of RedHat Enterprise. And even if we complain sometimes here on CentOS list about this or that, we do not (at least I do not) expect it changed in CentOS the way we like it, making CentOS different from RedHat Enterprise. It is more like "letting our steam out", so ideally we probably shouldn't do it at all. However, password thing thread (which I didn't add to yet) just reminds all of us about good practices. So, this discussion (without any changes expectations in CentOS) may still be appropriate and helpful.
Thanks to CentOS team for the great job you guys are doing! (we always have that in mind, rarely say it though)
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On 01/30/2015 05:27 PM, Marko Vojinovic wrote: While I personally think this is a good idea, this has
some potential to maybe cause trouble or inconvenience down the line, with regards to automated installs, broken kickstart scripts,
...
Kickstart installs with an already encrypted password in the kickstart file would not be affected. The only way the installer could know how weak the password was would be to spend the time to guess it.
For those interested, a ticket has been opened with FESCo.
https://fedorahosted.org/fesco/ticket/1412
On 2015-01-30, Scott Robbins scottro@nyc.rr.com wrote:
Others may think it's a great idea--at last, users can't install with a password of 1234.
That's the same combination as my luggage!
--keith
(actually it's 12345, but don't tell anyone)
On 31 Jan 2015, at 07:43, Scott Robbins scottro@nyc.rr.com wrote:
So, probably some of you, at least, follow Fedora, perhaps in part to see what new desktop user oriented decision will make it into the next version of RHEL/CentOS.
I'd be more worried about Fedora 21 workstation defaulting to having ports 1025 - 65535 open by default.