[CentOS] Fedora change that will probably affect RHEL

Tue Jul 28 20:27:29 UTC 2015
Chris Murphy <lists at colorremedies.com>

On Tue, Jul 28, 2015 at 11:27 AM, Warren Young <wyml at etr-usa.com> wrote:

> Much of the evil on the Internet today — DDoS armies, spam spewers, phishing botnets — is done on pnwed hardware, much of which was compromised by previous botnets banging on weak SSH passwords.
>
> Your freedom to use any password you like stops at the point where exercising that freedom creates a risk to other people’s machines.

Your freedom to have sshd enabled by default stops at the point where
exercising that freedom creates risk to other people's machines.

I can also use that logic with, password based auth by default, rather
than PKA by default.

A rather strong argument can be made, much more so than a very weak >
weak password quality policy, for sshd on a default 7 day disable
timer. That is, by default, after 7 days, sshd is stopped and
disabled. In the autopsies of pwned computers is the quickly
provisioned server with a standard simple in-house password for such
things, with the idea that after configuration the password will get
changed or more likely sshd is disabled or it'll be added to firewall
filtering. The reality is all the bad practices happen because this
quickly provisioned machine is forgotten about for one reason or
another, and then it gets owned.

Well, disabling sshd after 7 days would stop all of that and yet
doesn't prevent initial configuration.

More likely, I think we'll see either sshd disabled by default or PKA
required by default, both being provisioned via Cockpit. And that's
because the minimum password quality under discussion is still rather
weak when it comes to being able to put a system directly on the
Internet or facing it with port forwarding while taking no other
precautions. And yet the weak password policy is too strong for many
legitimate use cases where the use case/environment aren't high risk
for such passwords.



-- 
Chris Murphy