[CentOS] Another Fedora decision

Sat Jan 31 15:34:52 UTC 2015
Valeri Galtsev <galtsev at kicp.uchicago.edu>

On Sat, January 31, 2015 4:19 am, johan.vermeulen7 at telenet.be wrote:
> ----- Oorspronkelijk bericht -----
> Van: "PatrickD Garvey" <patrickdgarveyt at gmail.com>
> Aan: "CentOS mailing list" <centos at centos.org>
> Verzonden: Zaterdag 31 januari 2015 02:21:28
> Onderwerp: Re: [CentOS] Another Fedora decision
> On Fri, Jan 30, 2015 at 4:09 PM, Scott Robbins <scottro at nyc.rr.com> wrote:
>> There is some complaining going on on the Fedora testing list,
>> not sure where else one can protest.
> The thread starts here:
> https://lists.fedoraproject.org/pipermail/test/2015-January/124827.html
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> tp://lists.centos.org/mailman/listinfo/centos
> Hello All,
> isn't there the option in Centos7 to create user without password?
> Is this also for reasons of kickstart or such as well?
> I had an unpleasant conversation with my brother-in-law at Christmas
> dinner last year.
> I am a sysadmin who "encourages" his users to have good password behavior.
> He is a Java developer who is encouraged by his sysadmin, and he doesn't
> like it.
> His point in short: passwords are not all that important any more.
> All virus spreading and hacking these days is done by sending malicous
> mails and by visiting malicious sites.

Java developer, huh. Be it me I would definitely mention that java related
stuff adds its very noticeable share to compromises. From sysadmin point
of view java is a disaster: mostly you are executing someone's else code
(java applet from remote ...) on your own machine. Of course, I know my
opinion is highly amplified by my not getting along with java language as
opposed to multitude of other languages I get along with. Tell him to look
some time into ssh log and count unsuccessful connection attempts. And I'm
sure analogy like not locking your apartment door just because your
building door is locked, or better though because on local radio they
announced no thieves are roaming in your town - is kind of weak reason.
Even java developer brain should grasp it (no, it was intended as a joke,
not as offense. I do use and admire brilliant software written in java!
And I'm grateful to brilliant java programmers written software I can not

Going back to password discussion. Interestingly, I never was bugged by
installer for using weak password (which I don't). Still, I consider it
counter productive to force any requirements onto people who do not care
about the original goal of them (security in this case). I remember in the
past some sysadmin discussion about forcing your users to use very
sophisticated passwords (passphrases we will be saying these days) and
even worse: forcing them to change passwords often. Basically, the most
sane view (IMHO) is: person's ability to memorize and type password is
most important. And users will change password promptly when there is
reason to suspect the password was compromised - users are much more
cooperative if you don't put on them unnecessary burden. If you do
sysadmin job well it will be remote compromises that you will deal with
(when user's password got stolen elsewhere, say when user logged into your
server from compromised machine). Thus running multi-user machine under
assumption bad guys are already in is right attitude. Keep the machine
local exploit free. Have good backup (so you can restore files of unlucky
user if his/her files are obliterated by intruder). And watch what is
happening on the machine.

Do I advocate for weak passwords? No, by no means. However, it is really
unreasonable to think that you can make system such that it will force
people not do stupid things (use bad passwords). So, I for one do like
what passwd command does now: it warns one that the password is weak when
typed first time, and accepts that weak password if one insists and types
it second time. Person willing to do bad thing will find the way around
any protection to do it, yet even worse way.

Just my $0.02


Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247