On Tue, Jul 28, 2015 at 3:10 PM, Robert Wolfe <Robert.Wolfe at malco.com> wrote: > -----Original Message----- > From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of Chris Murphy > Sent: Tuesday, July 28, 2015 3:46 PM > To: CentOS mailing list > Subject: Re: [CentOS] Fedora change that will probably affect RHEL > > [...] > > What you said: > > "Windows Server has power shell disabled by default. The functional equivalent, sshd, is typically enabled on Linux servers. So I think it's overdue that sshd be disabled on Linux servers by default, especially because the minimum password quality under discussion is still not good enough for forward facing servers on the Internet with static IPv4 addresses. They will get owned eventually if they use even the new minimum pw quality, and that's why I see pw quality as the wrong emphasis - at least for workstations." > > And my reply: > > For things like SSH and RDP I use two-factor authentication using DUO. For the machines that I absolutely have to have these kinds of access two (my BBS for RDP and my mail server for SSH), this works well I think at providing an extra layer of security for both protocols and is quite affordable and is easy to administer. OK but imagine making that the default, and how many workflows that don't need that level of authentication will be bothered in one form or another: a.) change workflow b.) learn how to revert the behavior. It's one thing to disable sshd by default because pretty much everyone familiar with a particular distribution will be familiar with console/OOB enabling of sshd, or eventually being used to initially accessing a web interface to enable such a service. -- Chris Murphy