On Tue, Jul 28, 2015 at 1:06 PM, Chris Adams <linux at cmadams.net> wrote: > Once upon a time, Warren Young <wyml at etr-usa.com> said: >> Much of the evil on the Internet today — DDoS armies, spam spewers, phishing botnets — is done on pnwed hardware, much of which was compromised by previous botnets banging on weak SSH passwords. > > Since most of that crap comes from Windows hosts, the security of Linux > SSH passwords seems hardly relevant. Botnets are terrible, it doesn't matter how many of them there are or on what platform. The reason why they exist is bad practices. So there needs to be better application of best practices, and best practices need to be easier and default and automatic whenever possible. That applies to all platforms. So I'm not opposed to changes in Fedora, and by extension eventually to CentOS and RHEL, but they have to be balanced out. Windows Server has power shell disabled by default. The functional equivalent, sshd, is typically enabled on Linux servers. So I think it's overdue that sshd be disabled on Linux servers by default, especially because the minimum password quality under discussion is still not good enough for forward facing servers on the Internet with static IPv4 addresses. They will get owned eventually if they use even the new minimum pw quality, and that's why I see pw quality as the wrong emphasis - at least for workstations. >> Your freedom to use any password you like stops at the point where exercising that freedom creates a risk to other people’s machines. > > Your freedom to dictate terms to me stops at my system, which you cannot > access even if I set the password to "12345". You are making an > assumption that every Fedora/CentOS install is on the public Internet, > and then applying rules based on that (false) assumption. Exactly. My dad will absolutely stop using his iPad if it ever requires him to use anything more than 4 numeric digits for his password. The iPad never leaves the house. Future concern is IPv6 stuff, now that Xfinity has forcibly changed their hardware to include full IPv6 support. I have no idea if this is NAT'd or rolling IPs or what. But the iPad has no remote services enabled. And the Mac has SSH PKA required. So I'm not that concerned about their crappy login passwords. Their online services are another matter, those I've made very clear they will be strong or they don't get to play. -- Chris Murphy