[CentOS] Fedora change that will probably affect RHEL

Wed Jul 29 01:55:10 UTC 2015
Chris Murphy <lists at colorremedies.com>

On Tue, Jul 28, 2015 at 5:46 PM, Warren Young <wyml at etr-usa.com> wrote:
> On Jul 28, 2015, at 2:46 PM, Chris Murphy <lists at colorremedies.com> wrote:
>>
>> My dad will absolutely stop using his iPad if it ever
>> requires him to use anything more than 4 numeric digits for his
>> password. The iPad never leaves the house.
>
> iPads can’t be coopted into a botnet.  The rules for iPad passwords must necessarily be different than for CentOS.

Windows has a lower minimum acceptable password quality than CentOS.
OS X has a lower minimum still than Windows - as in, a single number
is accepted. For an admin. With sshd enabled. And yet the Mac world
does not burn.

That doesn't mean single digit passwords are good, or should be
recommended. It just means Apple doesn't care to fight that battle, or
dump requirements onto the user. Instead they dump requirements onto
the OS and onto application developers with better defaults: sshd is
disabled, application binaries must be signed, App Store applications
run in something like a sandbox, etc.

So they are building up defenses elsewhere, rather than shifting the
responsibility onto the user in the form of weird and confusing
password requirements and the commensurate UI.


>
>> the Mac has SSH PKA required.
>
> True, but more on-point here is that OS X ships with sshd disabled by default.  You have to dig into the pref panes and tick an obscurely-named checkbox to enable it.

Two points of clarity:
1. the quoted text above is a configuration change I made; OS X does
not require PKA out of the box.

2. Fedora Workstation has sshd disabled by default, and you have to
dig into the pref panes to enable an identically named service "Remote
Login"; although enabling it takes solidly three more clicks on GNOME
than OS X. So in some strange sense it's less likely to be
inadvertently enabled on GNOME.


>> Their online services are another
>> matter, those I've made very clear they will be strong or they don't
>> get to play.
>
> The Apple ID password rules are a fair bit stronger than the libpwquality rules we’ve been discussing here, and have been so for some time:
>
>   https://support.apple.com/en-us/HT201303
>
> Given that recent OS X releases want to use your Apple ID as the OS login credentials, that effectively makes these the OS password quality rules, too.

No that's not true. The user is encouraged to authenticate this way,
they are not required to, it's very easy to bypass. I don't use it.
Windows has a similar behavior, but rather strongly implies it's the
only way to setup a user account (via an Outlook account) but that too
can be bypassed.

What is currently in Anaconda master branch, which is how Fedora
Rawhide has behaved for ~ 6 months, is you get a show stopper
installation if you don't meet the minimum password requirement. And
that requirement is not stated or explained. It's basically "it's not
good enough, try again".

> Fedora is late to the party, and CentOS consequently even later.

Where Fedora and CentOS are late to the party are improving defenses
that don't require the user to do anything differently.

-- 
Chris Murphy