[CentOS] Another Fedora decision

Tue Feb 3 00:57:31 UTC 2015
Kahlil Hodgson <kahlil.hodgson at dealmax.com.au>

On 3 February 2015 at 10:31, Always Learning <centos at u64.u22.net> wrote:
> If testing then a one character password is very acceptable to me. Why
> should some arrogant nutter impose an arduous ultra secure password when
> a simple one character password will suffice ?  Who knows the machine,
> the deploying environment and the circumstances better ?  The user or
> some anonymous and arrogant nutter perhaps many thousands of miles (or
> kilometers) away ?

I know its hard to believe, but you are not the only one using this
OS.  There are a broad range of users with a broad range of experience
using the OS in a broad range scenarios.  One important group is new
users with limited experience and knowledge about security.  This is
an important group to protect.  More experienced users understand this
and put up with, or work around, the occasional inconvenience.  This
is not arrogance, this is about being a responsible member of a
community.  It is important for all of us to encourage (and discuss)
good security practices, as well as discourage (and refute) poor
practices. Ultimately, this make our community a safer place.

It is my, perhaps naive, hope that members of our community are Always
Learning about good security practices and emerging threats to the OS.

The root password is close to, if not actually, our last line of
defense (SELinux helps us here by the way). Using a one character
password is problematic if you are connected to the internet, for
example, if you are _testing_ the OS and want to run updates after the
install. This is problematic since, by default, new installs typically
allows SSH access and root logins over SSH. Yes, firewalls help, but
they need to be configured correctly, and there are subtle tricks that
sophisticated attackers can exploit to subvert poorly configured
firewalls. If you really want to do this, I'd suggest running your
test system in some kind of DMZ to prevent any exploit cascading into
the rest of your network.  It may just be easier to pick a "good" but
easy to type root password that you use for all your test machines.
Also, its a good idea to make sure you always turn off your test
machines when not in use, and to disable them once you are finished
testing (so they can't be accidentally turned on in the future).

Hope this helps.

Kal