On Tue, Jul 28, 2015 at 4:34 PM, Warren Young <wyml at etr-usa.com> wrote: > That’s only true if the majority of people will in fact override the default policy. The current behavior in Fedora and CentOS lets you click Done twice and bypass the weak password complaint. > But as I have repeatedly pointed out here, the stock rules really are not that onerous. They basically encode best practices established 20 years ago. In order to protect a system that's Internet facing with challengeresponseauth (rather than PKA), the minimum password quality would need to be at least initially onerous. Whereas if things are properly configured such that ssh is only used internally, all you have to worry about are internal attacks which are hopefully rather rare. -- Chris Murphy